Category Archives: Security Awareness

Phishing Scams Now Harder to Detect

Via: Krebs On Security

Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.

Phishers are moving to HTTPS because it helps increase the likelihood that users will trust that the site is legitimate. After all, your average Internet user has been taught for years to simply “look for the lock icon” in the browser address bar as assurance that a site is safe.

Perhaps this once was useful advice, but if so its reliability has waned over the years. In November, Phishlabs conducted a poll to see how many people actually knew the meaning of the green padlock that is associated with HTTPS websites.

“More than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true,” he wrote.

What the green lock icon indicates is that the communication between your browser and the Web site in question is encrypted; it does little to ensure that you really are communicating with the site you believe you are visiting.

So what can you do to make sure you’re not the next phishing victim?

Don’t take the bait: Most phishing attacks try to convince you that you need to act quickly to avoid some kind of loss, cost or pain, usually by clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email.

Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment. The best approach is to bookmark the sites that store your sensitive information; that way, if you receive an urgent communication that you’re unsure about, you can visit the site in question manually and log in that way. In general, it’s a bad idea to click on links in email.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window.

Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link.

The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged.

If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.  The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers.

Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at About.com. Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a password-snarfing Trojan that steals all of the sensitive data on victim PCs.

So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it.

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy.

When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder.

That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

View the full article.

Critical macOS High Sierra Update

Apple has released a security update resolving the widely reported authentication bug known as iAmRoot. The UISO recommends that Apple computers running High Sierra (macOS 10.13.x) install this security update.

Due to its critical nature, Apple has deployed this as an automatically-installing update. However, it is still recommended to check for this and any other pending security updates.

The process to update is:

  • Click the  logo in the Taskbar
  • Click App Store
  • Click Updates
  • Install any security related updates shown
    • The recommended patch is Security Update 2017-001

Please do not hesitate to to contact infosec@fordham.edu with any questions.

Sources:

US-Cert: Apple Releases Security Update for macOS High Sierra

New security update fixes macOS root bug

Holiday Shopping 2017: How to avoid fake retail sites and other scams

Via: USAToday.com

1) Stop chasing any and all deals

“We live in an age where we have all these push notifications and emails,” said Steve Koenig, senior director of market research at the Consumer Technology Association, a trade group in Arlington, Va.

The volume of such activity during the holidays, he said, only makes consumers even more vulnerable to clicking on a $100 coupon before thinking twice.

“We’re all moving super fast, we get distracted,” said Tim Helming, director of product management at DomainTools.

When we’re rushing, we might not notice that the website in an email has an odd name.

Brands that continue to be spoofed include Amazon,Walmartand Target. Other brands that are commonly targeted include PayPal, Yahoo and Apple.

Helming told me that consumers need to be wary of fake sites that play up the “Black Friday” frenzy. Dozens of malicious domain registrations that touted a Black Friday connection cropped up last year beginning around Nov. 20, and he’d expect the same this year, too.

2) Learn how to spot a fake

Watch out for a domain decorated with a few extra, possibly even reassuring words or odd spellings. DomainTools listed some brand-abusing domains that have a dot-com at the end but they’re still frauds, such as Amazonsecure-shop, Target-officialsite or  Walmartkt.

Other fakes include: Amazonshop.gq or Targethome.today or Walmart-outlet.ga.

Helming said domains that include a hyphen and words such as shop or secure can be good clues to a phony site, as many brand names use their names alone for their sites.

Other words in a fake URL site that appears to be connected to a well-known name might be something like outlet, discounts or deals.

Many times, the fraudsters use words like “official site” to make their fake sites look legitimate. Or there might be extra letters, such as “Yahooo” or “Walmaart.”

Take care on social media. Phishers can use of “URL shortening” services to obfuscate phishing URLs. As a result a very short URL, can be used in Tweets, which automatically redirect the visitor to a longer “hidden” URL, according to the Anti-Phishing Working Group’s research.

3) Recognize the risks of rushing

Consumers who click on the links or visit malicious sites are typically unknowingly handing over their name, address, and credit card information.

Never click on links in emails or social media to go to a retailer’s website. A better bet: Take a few extra seconds to go directly to the site yourself. Be sure to take a second look at all URLs.

4) Ask yourself why would Amazon be sending you a free gift card? Really?

Yes, one of those free $50 Amazon gift cards popped up in my email the other day. Of course, it’s a spoofed email. So I just hit delete.

Amazon is warning consumers that phishing emails will direct you to a “false website that looks similar to the Amazon website, where you might be asked to provide account information such as your e-mail address and password combination.”

The fake sites can steal sensitive information that can be used without your knowledge to commit fraud, according to Amazon.

Phishers can steal usernames and passwords from one site to engage in fraud on other sites. Too many consumers carelessly use the exact same usernames and passwords across different sites.

Amazon doesn’t send emails that ask for your Social Security number, bank account information, PIN, or your Amazon.com password.

Amazon offers shoppers a way to report suspicious emails and web pages. You can forward the email or send suspicious e-mail as an attachment to stop-spoofing@amazon.com.

More: Are 2017’s Black Friday deals really as amazing as retailers claim?

More: How to find hard-to-get, out-of-stock gifts without getting ripped off

5) As you order gifts online, don’t get tripped up by fake email alerts

As holiday shipping goes up in November and December, the frequency of phishing emails relating to orders or shipments goes up, too.

Walmart warns that if you received an order confirmation email from Walmart but never placed such an order, it may be a “phishing scam attempting to gather information, or in some cases, spread malware.”

FedEx warns consumers about a  “delivery failure” scam email.

Fraudulent emails claiming to be from FedEx or the U.S. Postal Service “regarding a package that could not be delivered.”

The consumer is then asked to open an attachment in order to obtain the invoice needed to pick up their package. The attachment in the email may contain a virus.

Don’t just rush and assume there’s trouble with something that you ordered.

“Be suspicious of incoming email from unknown or unsolicited sources, especially those that have attachments as well as hyperlinks,” said Jeremy Stempien, detective for the City of Novi, Mich., and a special federal deputy marshal for the Southeast Michigan Financial Crimes Task Force.

“The same should apply to incoming phone calls,” he said.

6) Every deal you find online is not a bargain

Con artists tempt consumers with great deals on hard-to-find items or hot gifts. Maybe you’ll spot some extraordinary deal on an Apple iPhone X or find a crazy bargain price on an L.O.L. Surprise! Big Surprise toy.

Or you think you’ve found a great deal on jewelry. The Better Business Bureau and others warned in 2017, for example, about fake sites that offer up to 70% off on Pandora charms.

Charisse Ford, chief marketing officer for Pandora Americas, said shoppers should be aware that counterfeit sites have some clear indicators, including the “About Us” page that can be very generic without descriptions about the business, company mission or current Pandora images or promotions.

Another clue: Try calling and talking with someone in customer service first before placing an order to ask about return policies or the like. Shoppers are less likely to connect with a real person if going through a fraudulent site.

Companies such as Pandora note that they work hard to help identify and shut down counterfeit sites, including those on social media channels.

Con artists use phony websites to sell counterfeit goods — or engage in cybercrime.

It’s no bargain if, when you click on the link, you download malware.

“You think you are getting the discount of a lifetime or an exclusive offer, but this is a phishing attack,” warned Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

Remember, bargains abound throughout the holiday season — so there’s no reason to think you absolutely must get all that shopping done right now.

 

Source: https://www.usatoday.com/story/money/columnist/tompor/2017/11/17/fake-amazon-gift-cards-phony-walmart-sites-and-other-cyber-scams-tempt-holiday-shoppers/862083001/

New Email Scam Using Fake Netflix Website

Via: mailguard.com.au

A scam email has appeared today that is pretending to be from Netflix. MailGuard detected the new scam early this morning, and stopped the malicious emails from entering our client’s inboxes.

This scam email is relatively well designed. The scammers are using a template system to generate individualised messages with specific recipient data.

This works like a mail-merge; the body of the email is generic, but the sender field is designed to show the name of the intended victim, which personalises the scam making it more convincing.

In this case the scammer’s system has not worked as well as they hoped and in the example below – screen-captured by our operations team – you can see that the ‘recipient’ field in the email has not been merged successfully. Instead of the victim’s name, it shows the placeholder instead:

 

Screen Shot 2017-11-03 at 11.23.26-1.png

Aside from the error with the recipient name field, this email looks quite convincing. The message tells the intended victim that their Netflix billing information has been invalidated and urges them to update their details on the website. If the recipient clicks the link in the email they are taken to a fake Netflix page, that asks them to log in and then enter their personal information, including credit card details.

Of course, this website is completely bogus and is just a mechanism for the scammers to steal the victim’s identity and credit card information.

The fake Netflix site this scam is using is built on a compromised WordPress blog. Scammers can break into WordPress sites by making use of vulnerabilities in blog plugins and once in, they can make the website look enough like a real Netflix login page to trick their victims – as shown in the screenshot above.

Screen Shot 2017-11-03 at 11.24.52.png

Screen Shot 2017-11-03 at 11.25.22.png

With the detailed data the fake website form asks for: address; credit card details; driver’s license; mother’s maiden name; etc, the scammers could potentially execute an identity theft and gain access to the victim’s bank accounts as well as their credit cards.

Once the fake website has collected all the sensitive data the scammers want, the victim is shown a reassuring ‘reactivation’ screen.

Screen Shot 2017-11-03 at 11.26.15.png

If you receive an email from Netflix today, ‘Chill,’ but don’t click without thinking first. Scammers can make their fake emails and bogus websites look pretty convincing, so it’s always a good idea to check carefully that the email comes from the actual company domain and not a scammer.

Think Before You Click:

– Always hover your mouse over links within emails and check the domain they’re pointing to. If they look suspicious or unfamiliar don’t open them.

– Cybersecurity threats take many different forms from simple spyware downloads to sophisticated ransomware attacks. Your business can be exposed to a wide variety of different vectors: through peripherals; USB devices; networks; attachments; etc. Security best practice recommends a layered defence strategy to protect users against web threats and malware.

Encrypt your mobile devices.

Encrypt your mobile devices.

(Photo from – http://www.androidauthority.com/how-to-encrypt-android-device-326700/)

Encrypting important files on your desktop, laptop, or mobile device will ensure that if the device is compromised, the hacker won’t be able to read these important files.

  • To encrypt your files on Mac visit: http://www.hongkiat.com/blog/encrypt-mac-folder/
    • This site will walk you through the process of encrypting your files.
  • An alternative to encrypting your mobile device would be to keep all personal information off of the device.
    • Limiting the amount of confidential information on your cellphone can greatly reduce the risk of being compromised if the device is lost or stolen.

Detailed information regarding device security and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you believe your device has been infected or compromised, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu

 

 

Strong passwords (or phrases) can keep you safe.

Strong passwords (or phrases) can keep you safe.

(Photo from – https://thehackernews.com/2016/07/best-password-manager.html)

Many of us have taken cyber security trainings that encourage us to use special characters such as the @ symbol for an “a” or $ for an “S”, however cyber-criminals have developed technology that can help them crack passwords that use these tactics.

  • Consider a passphrase instead.
    • Passphrases are a series of unrelated words that are being used in place of our traditional passwords ( 8 characters 1 capital and special character).
    • For your passphrase to be strong and secure be sure to use at least 4 unrelated words.
    • ILoveYorkiePuppies can still be cracked if the cyber-criminal has done their homework.
  • Too many passwords, and not enough memory?
    • Consider using a reputable password manager.
    • These services allow you to store your information for several sites securely
    • There are several options available, as with any software there are free and paid versions available.
    • Do your homework and find one youll feel confident using.
  • A few highly rated free versions include:

Detailed information regarding device security and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you believe your device has been infected or compromised, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu

Keep your mobile device safe!

Keep your mobile device safe!

(Photo from – https://www.thompsoncoburn.com/insights/blogs/cybersecurity-bits-and-bytes/post/2016-09-28/the-serious-security-vulnerabilities-of-mobile-devices)

  • Don’t think you’re device is safe from cyber-attacks or criminals.
    • Mobile devices are just as susceptible to the same types of attacks.
    • Including malware and phishing.
  • Use the same security on your mobile device as you would your personal or business computer.
    • Use a strong password
    • Passphrases are strong and hard to crack, use 4 or more unrelated words to create a difficult password for your device.
    • Such as PumpkinMovieCarStar
    • Alternate the letters you capitalize for additional protection, or add a special character as well.
    • It may take longer to log in, but it will ensure your device is secure
  • If you have a newer mobile device fingerprint recognition as well as facial recognition may be available.
    • Using these options allow you to unlock your device quickly, while ensuring it can’t be accessed by another party.
    • When using fingerprint recognition remember it allows you to store more than one print. Consider using one finger on each hand for ease of use.
  • If it connects to the internet, it should be protected.
    • Tablets, iPads, and net books can also be compromised.
    • Password protect these devices, encrypt important data on them
    • Do not save your user names and passwords on them.
    • Consider a password management system
    • Do not download applications from untrusted sites.
  • If your device has been compromised contact Fordham IT.
    • Contact Fordham IT and provide them as much information as you can.
    • Fordham IT will work with public safety and local law enforcement to help you attempt to recover your files and protect you from future attacks.

Detailed information regarding device security and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you believe your device has been infected or compromised, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu.

 

Additional steps to say protected.

(Photo from – http://everhelperblog.com/new-nimbus-note-iphone-manual-note-encryption/ )

Ransomware, and malware like other types of cyber-attacks can be prevented with regular maintenance and vigilance. 

  • Back up your files
    • Set your system to do regular backups of your important information.
    • Don’t forget to back up your mobile devices as well. Including tablets, iPads, and cell phones.
  • Encrypt your files whenever you can
  • Be sure to patch and update all of your software.
    • Your software providers are constantly working to keep your OS and applications running smoothly, this includes patches to close up vulnerabilities.
  • If you suspect any suspicious activity, or believe you may have downloaded a malicious file.
    • Disconnect from the internet, this way no other devices are affected on the network.
    • Contact Fordham IT and provide them as much information as you can.
    • Fordham IT will work with public safety and local law enforcement to help you attempt to recover your files and protect you from future attacks.

Detailed information regarding Ransomware or Malware scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

 

Don’t pay the Ransom!

If you find that your device has been compromised, and a cyber-criminal is demanding a ransom to release the files or access to your device, DON’T PAY IT.

  • Payment does not guarantee the return of your files.
    • Many cyber-criminals that use ransomware also have their version of helpdesks, which will work with victims to try to convince them to pay the ransom.
    • In some instances they will even release some of the files in a show of “good faith”, yet this alone will not ensure you will get all of your files released, or that they won’t demand more money.
  • Paying the ransom will basically fund their next attack.
    • Often times the amount the cyber-criminals are requesting doesn’t seem as high as expected, however this is because realistically if a home computer is compromised and the requested ransom is $300.00 it’s more likely the victim can and will pay.
    • Funds they receive are used to increase their reach and power.
    • Cyber-criminals rely on their scare tactics to try to get victims to pay.
    • Requesting immediate action gives the user the feeling that they have a limited amount of time to comply with request, or even that they have a limited amount of time to recover their files.
    • Keep in mind that as the cyber-criminals grow with technology, so does law enforcement.
  • If your device has been compromised contact Fordham IT.
    • Contact Fordham IT and provide them as much information as you can.
    • Fordham IT will work with public safety and local law enforcement to help you attempt to recover your files and protect you from future attacks.
  • Remember that prevention is the best medicine for all things cyber security.
    • Use antivirus
    • Keep your OS and Antivirus up to date
    • Run regular scans
    • Don’t open suspicious emails (unfamiliar senders, special offers, unexpected request)
    • Don’t download suspicious attachments

Detailed information regarding Ransomware or Malware scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

What is Malware?

Malware is a malicious software that is intended to disable certain files or the entire device it is attached to. There are different types of malware programs that each attack your device differently with the same end game, to infect your device, and hopefully others before you notice you’ve been compromised.

  • Trojan Horse Viruses
    • Similar to the Trojan Horse in the story of Troy, these viruses come in disguised as a legitimate program, and proceed to infect the system.
    • Once on the system Trojans can create a backdoor that can allow a cyber-criminal access to your device, which would in turn give them access to your personal information (SSN, and banking info). Trojans differ in that they do not reproduce by infecting other files, they also do not self-replicate.
  • Viruses
    • Are named for the way they spread, much like the flu, a virus can spread from user to user, but in order to replicate it depends on a host file. Meaning it needs to be downloaded to the device with the file the cyber-criminal created, so that it has access to the malicious code.
    • The goal of the virus is to alter the way the infected device operates. Some of the results include damaging the systems hardware and destroying data.
  • Worms
    • Are a version of malware that is self-replicating, unlike a traditional virus worms do not need to be controlled by a cyber-criminal, and do not rely on any additional computer applications for function.
    • The goal of a worm is to spread malicious code, exploit vulnerabilities, and spread across networks.
  • Pay attention when you’re opening emails
    • Often times we breeze through because we want to clear out inbox, but taking an extra minute to read the senders information and the subject line can keep you proceeded
  • If you don’t know the sender, don’t open the email or download any attachments.
    • Even if the sender is someone you’re familiar with or do business with, pay attention to the subject line, senders email address, and body of the email. Look for spelling mistakes, hover over any URLS to see where they will take you (DO NOT CLICK ON ANY SUSPICIOUS LINKS) and if possible contact the sender to verify the contents of the email.

Detailed information regarding Ransomware and Malware scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.