Category Archives: Security Awareness

Beware of This Apple iPhone Password Phishing Scam

ios security phishing

Apple’s iPhone customers could potentially fall victim to a scam that would see them unwittingly hand over their Apple ID credentials.

Security researcher Felix Krause on Tuesday published a proof-of-concept that shows how easy it is for hackers to replicate the familiar “Sign In to iTunes Store” Apple prompt on the iPhone and steal a user’s password. According to Krause, developers can turn on an alert inside their apps that look identical to the legitimate pop-up requesting a user’s credentials. If the person inputs the password, the malicious app owner could steal the information and users wouldn’t even know they were targeted.

“Users are trained to just enter their Apple ID password whenever iOS prompts you to do so,” Krause wrote in a blog post. “However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. This could easily be abused by any app.”

Apple ID alerts are common fare in a typical day using the iPhone. They come up when users want to make an app purchase or when account content, like iCloud data, needs to be accessed. Apple’s legitimate pop-ups display information and then request users input their Apple ID passwords to proceed.

According to Krause, any app developer can create an identical pop-up, and he was able to do just that as part of his research. Users, then, would be hard-pressed to determine whether it was a legitimate password request or one that could leave their credentials open for theft.

Still, Krause said that users can protect themselves by never inputting passwords into pop-ups and instead going into the iPhone’s Settings menu and do it there to ensure it’s a legitimate request. He also suggests clicking the home button when a pop-up is displayed. If the home button closes the app, it was a phishing scam, but if the pop-up remains, it’s a real Apple request.

Looking ahead, Krause believes the best way to fix the problem is by Apple making some tweaks to the way apps ask for Apple ID passwords. Rather than use pop-ups, he says, Apple should ask users to open the Settings app and input their credentials there, thereby eliminating the apps from the process altogether.

(source: http://fortune.com/2017/10/10/apple-iphone-password-phishing-scam/)

Take Fordham’s Cyber Security Awareness training.

 

 

Do you know the latest solutions for lowering your risk of getting hacked? Find out by taking our free, self-paced online Cyber Security Awareness training. It can be found under “My Organizations” in Blackboard, accessed at fordham.blackboard.com.

  • Stay informed.
    • Visit our website: itsecurity.blog.fordham.edu
    • We will be sure to keep you in the know with trends and possible breaches.
    • Follow us on social media as well for quick informative updates!
      • Twitter – @FordhamSecureIT
      • Facebook – @FordhamSecureIT

Other reputable news sources also include cyber security resources.

Such as

Just to name a few.

  • Find a source you trust and visit it frequently.

Detailed information regarding Identity Theft scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

 

Monitor all your accounts for suspicious activity.

  • Keep an eye on the activity on all of your accounts.
    • Review your bank statement and make sure there haven’t been any purchase or debits you don’t recognize.
    • Check your trash in your email accounts, hackers will delete login notifications, but not all of them think to empty the trash as well.
    • Have amazon or something similar? Check your order history and make sure there isn’t anything there you didn’t order.
    • Social media? Check your DM’s and make sure there aren’t any messages there you haven’t sent.
    • Go into your settings and check that things are still as you set them up.
    • Verify security questions are the same.
    • If there is a recovery email that it is the one you use.
    • If you get spam emails, flag them so your email provider can update their information and to keep your mail box clean.

Detailed information regarding Identity Theft scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

Be wary of tech support scams, cold calls or web browser popups.

  • Most scams use tech support chats or messages with an 800 number to get your attention.
    • If the hacker is using the chat, they may try to convince you they need your IP address to help you diagnose and remedy your device. Giving up this information would allow the hackers full access to your computer.
    • If you receive a pop up message requesting immediate action, remember your computers security system may ask you to update software or run a scan, it wouldn’t request your login information or that you call to speak to someone.
    • If you aren’t sure if the pop up is legitimate or not call your security provider directly, use a phone number you have for them and not one that may appear in the pop up.

 

  • If you get an unexpected phone call or text message requesting immediate action, ignore it!
    • Again similar to the pop ups your provider wouldn’t be contacting you unless you initiated contact.
    • Hang up if you get a call requesting immediate action, or requesting you go online and allow the tech to remotely connect to your system.
    • If you receive a text message with a phone number, do not call that number.
    • Again if you want to be sure your device is safe, contact your security provider directly.

If you believe you received a call that is a scam, report it!

Reports about fraudulent calls and pop ups can be made at

Ftc.gov/complaint

For more information and tips on safety visit:

Federal Trade Commission

https://www.consumer.ftc.gov/articles/0557-tech-support-scams-infographic

Microsoft

https://blogs.microsoft.com/on-the-issues/2017/05/18/fight-tech-support-scams/

Important info from this article

“Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.

Do not call the number in a pop-up window on your device. Microsoft’s error and warning messages never include a phone number.

Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.”

–Gregoire, Courtney

Detailed information regarding Identity Theft scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

Identity Protection Tips

 

One of the easiest things you can do to protect yourself is create a strong password. We’ve all struggled with meeting the criteria for some passwords (8 characters, one number, ect); however the sites that request these types of passwords are protecting their users by ensuring secure passwords.

  • Passphrases are the in!
    • As technology continues to grow and expand, so do the hackers and their abilities. Simply hashing your password isn’t enough anymore (h@$h1n6 P@55w0rd$) hackers have developed software that will help them crack passwords that use these characters.
    • Instead come up with a passphrase that consist of four or more unrelated words.
      • For example: PumpkinKartMineLoft. Simple words that the user can remember, but would be incredibly hard for a program to crack. 
  • If you’re worried you won’t be able to remember a phrase, then try hashing your password in different ways.
  • Try to avoid the common uses for special characters, instead try to use a varied combination of numeric and alphabetic characters.
    • If your password is elevator, try entering it as E13va70R

So what we did was capitalize the E then use the numbers 1 and 3 for the l and the next e we kept the v and capitalized the a then changed the t for a 7 the o for a zero and capitalized the r. This is just an example, play around with combinations that you are comfortable with and can remember.  Mixing up the alpha and numeric characters, along with capitalization can help keep your accounts safe.

  • Use two factor authentication whenever possible.
  • Some sites offer this additional protection which will require you enter and additional piece of information or have access to another piece of equipment.

For more insight and stats visit https://xkcd.com/936/

Detailed information regarding Identity Theft scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

 

Guard Yourself Against Identity Theft

Protecting your identity while online is one of the biggest steps you can take to prevent yourself from being a target of a cyber-attack or identity theft.  While many of us may think it won’t happen to me, or why would anyone want to steal my identity? Hackers are equal opportunity and will search for vulnerable users to exploit. Here are a few simple tips to lower your risks.

  • Don’t over share.
    • Things such as your date of birth, children’s, or pet’s names can be used to try to determine your password.
    • Vary your user names, while it may be hard to remember them all for different sites it will ensure if one account is compromised they won’t all be.
    • Try to avoid user names that give up too much information as well. Avoid using your email handle as your user name, while it may help you keep track, again if the account is compromised now your email address may be compromised as well.
    • Consider having two separate email addresses. One you use strictly for banking and other financial needs, the other for social media and shopping.
      • This could help identify a phishing email, if say you get a message about your bank or credit card account, and it’s linked to a different email address.
  • Be selective with who you add on your social media sites.
    • If you aren’t personally familiar with the person sending the request you may wish to ignore or deny that request.
      • Many hackers/scammers use social media to try to either scam users into sending them money or to hack their account to get the users contact info, as well as the contact for their friends.
  • Use different passwords for each site.
    • Having different user name and password combinations will help keep your accounts protected.
      • This would be especially helpful for your online banking accounts or credit card accounts.

Detailed information regarding Identity Theft scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

Dont Fall for Scare Tactics!

(Photo from – http://www.telugunow.com/news-headlines/ransomware-effect-companies-hyderabad-320479.html)

Hackers hope their victims are uninformed and easily persuaded, because that’s the perfect recipe for success in their business. If users don’t know what to look out for, they can easily be baited into downloading malware, or giving up confidential information.

  • Don’t feel forced to into immediate action.
  • If you receive a suspicious email that is threating and requiring immediate action, take a moment to decide what your next step should be.
  • Is this an email about your banking or credit card account?
  • Then you should contact that institution directly, by phone whenever possible.
  • Is this a message saying that you have a virus on your system?
  • Perhaps you should run your antivirus software scan.
  • Taking a few moments to assess the situation and make your own decision can really make a difference and keep your accounts safe.
  • Many times your account or device hasn’t been compromised, and the hacker is leading you to a link that will compromise your account/device.
  • Remember that hovering over a link will show you its true destination. This is a good way to verify website.
  • Do not download any attachments included in any suspicious emails or use links provided within the body of the email to visit a suggested website.

Detailed information regarding phishing scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

Cyber Criminals Are After Your Information

One of the most valuable currencies on the internet is information, and there are attackers dedicated to accruing it around the clock. Shared below are some of more commonly used techniques.

Pharming

Pharming is also referred to as Domain Name System (DNS) poisoning. Pharming modifies a system’s host files or domain name system to automatically redirect users to a fake URL or website, even if the user enters the correct web address or uses a bookmarked page. When successful, this form of phishing can collect the desired information with the user none the wiser as they have navigated to legitimate website.

Content Injection

Content Injection phishing is similar to pharming in that it uses a legitimate website to compromise the user’s personal information. The difference being that the hack/malware is added to the back end of a legitimate website instead of the user’s device. With this type of phishing, the hacker is able to mislead and redirect the user to get them to give up their personal information.

These two forms of phishing may be a little harder to detect without the proper tools

Man-in-the-Middle Attacks

Man-in-the-middle (MitM) attacks occur when a hacker sets up between the user and the websites they are trying to use, like an online banking site or even social networking page. They then take the users’ information as it’s being entered, making it harder to detect this type of phish.

 

Search Engine Phishing

Search engine phishing is executed by hackers creating malicious webpages. They often contain enticing offers and attempt to get users to click on the page, when it is pulled up as a result from a search engine query. It’s important to pay attention to the web addresses you are being directed to in order to avoid being tricked into providing your personal information.

Stay Protected

  • Use anti-virus and spyware software
  •  Antivirus and spyware software is sometimes underrated. Having the software on all of your devices can seriously reduce the risk of pharming and content injection phishing schemes.
  • Make sure all of your programs, apps, and tools are up to date.
  • When updates are pushed they ensure that vulnerabilities are detected and patched, and if the updates aren’t installed, it can put your device(s) at risk.

Detailed information regarding phishing scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

 

 

 

Yahoo says all three billion accounts hacked in 2013 data theft

(Reuters) – Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc (VZ.N).

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.

“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo’s users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc (EFX.N) and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo’s core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

Source: https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

Have you heard of Spear and Whale Phishing?

Spear Phishing

(Photo from – https://oxen.tech/blog/spear-phishing-new-twist-old-scam/)

Spear Phishing is really what it sounds like, a directly pointed attack. The attackers gather as much information as they can from the internet to build a more personalized, and believable attack.

  

(Photo from – http://resources.infosecinstitute.com/category/enterprise/phishing/spear-phishing-and-whaling/#gref)

 Whaling

Whaling is a specific form of spear phishing, in which the attacker goes after a high-profile target associated with a business, or government entity.  These victims may include but are not limited to senators, CEO’s, and those with access to company’s finances.

  • Pay close attention to the emails you receive.
  • Look for spelling and grammatical errors. Hover over URLS to reveal the destination of the link. Also hover over the links at the bottom of the email, many times these may look functional but are not.
  • If you’re being requested to verify personal information (name, D.O.B, or SSN) don’t use any forms provided in the email. Visit the home page for the business instead and check your account that way, or call customer service for more information when possible.
  • Businesses can avoid whale phishing by simply implementing a specific stationary for their emails directed to their employees. Making it easier to spot a spoofed email.

Detailed information regarding phishing scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureITor from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.