Category Archives: Uncategorized

Alert: Tragic Event Related Scams

Via: US-CERT

“In the wake of Sunday’s tragic event in Las Vegas, US-CERT warns users to be watchful for various malicious cyber activity targeting both victims and potential donors. Users should exercise caution when handling emails that relate to the event, even if those emails appear to originate from trusted sources. Event-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, fraudulent donation websites, and door-to-door solicitations relating to the recent tragic event.

To avoid becoming victims of fraudulent activity, users and administrators should consider taking the following preventive measures:

Source: https://www.us-cert.gov/ncas/current-activity/2017/10/03/Tragic-Event-Related-Scams

Article: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

A phishing attack is when an attacker sends you an email that contains a link to a malicious website. You click on the link because it appears to be trusted. Merely visiting the website may infect your computer or you may be tricked into signing into the malicious site with credentials from a site you trust. The attacker then has access to your username, password and any other sensitive information they can trick you into providing.

This variant of a phishing attack uses unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.

This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not affect Internet Explorer or Safari browsers.

As you can see both of these domains appear identical in the browser but they are completely different websites. One of them was registered by us, today. Our epic.com domain is actually the domain https://xn--e1awd7f.com/ but it appears in Chrome and Firefox as epic.com.

The real epic.com is a healthcare website. Using our unicode domain, we could clone the real epic.com website, then start emailing people and try to get them to sign into our fake healthcare website which would hand over their login credentials to us. We may then have full access to their healthcare records or other sensitive data.

We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt. Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox.

How to fix this in Firefox:

In your firefox location bar, type ‘about:config’ without quotes.
Do a search for ‘punycode’ without quotes.
You should see a parameter titled: network.IDN_show_punycode
Change the value from false to true.
Now if you try to visit our demonstration site you should see:

Can I fix this if I use Chrome?

Currently we are not aware of a manual fix in Chrome for this. Chrome have already released a fix in their ‘Canary’ release, which is their test release. This should be released to the general public within the next few days.

Until then, if you are unsure if you are on a real site and are about to enter sensitive information, you can copy the URL in the location bar and paste it into Notepad or TextEdit on Mac. It should appear as the https://xn--….. version if it is a fake domain. Otherwise it will appear as the real domain in its unencoded form if it is the real thing.

Source: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

Article: Post-Election Spear Phishing Campaigns

A recent article warns of election related spear-phishing and malware infected emails.

—Begin—

In the wake of the 2016 United States Presidential Election, not even six hours after Donald Trump became the nation’s President-Elect, an advanced persistent threat (APT) group launched a series of coordinated and well-planned spear phishing campaigns.

These e-mails came from a mix of attacker created Google Gmail accounts and was appears to be compromised e-mail accounts at Harvard’s Faculty of Arts and Sciences (FAS). These e-mails were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies. Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a PDF download on “Why American Elections Are Flawed.”

The post-election attacks launched by the Dukes on November 9 were very similar to previous attacks seen from the Dukes in both 2015 and 2016. The PowerDuke malware, first seen in August 2016, was once again used in these most recent attacks. Three of the five attack waves contained links to download files from domains that the attackers appear to have control over. The other two attack contained documents with a malicious macros embedded within them. Each of these different attack waves were slightly different from one another and are detailed below.

Attack Wave 1: eFax – The “Shocking” Truth About Election Rigging
Attack Wave 2: eFax – Elections Outcome Could Be revised [Facts of Elections Fraud]
Attack Wave 3: Why American Elections Are Flawed

—End—

More information can be found at: https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

Tip #6 How to Hide Behind Your Screen Names

Screen Shot 2015-10-07 at 10.11.53 AM

 

John_Smith. Fordham_Baby_Girl. Tatiana19. Fordham_QB_52

When selecting a screen name, avoid a name that might identify you. Even an identifier that partially reveals who you are, like some of the examples in the list of screen names above, can be combined with other online information about you. Together, that information might lead someone to discover your identity.

Use different screen names for different applications; it makes it more difficult for strangers to stalk you. Be safe and smart when you’re online! Choose a screen name that won’t reveal who you are or potentially embarrass you around relatives, future employers, or school admissions officials.

Read WikiHow’s article on choosing a safe screen name.

Image credit: DHGate, DIY Hand Painted Halloween Masks

Tip #5 What’s that person doing in my computer?

Fordham IT staff take "Innovation Walks" to disconnect from the online world and get some exercise.

Fordham IT staff take “Innovation Walks” to disconnect from the online world and get some exercise. Disconnecting your computer from the network and disconnecting from your computer can have positive benefits.

It’s one thing to lend your smartphone to a friend to make a quick call, or share a computer with your family at home. It’s an entirely different matter when a stranger gains remote access to one of your devices.

You can prevent that from happening by disconnecting your computer from the Internet when you’re not using it.

Staying connected online all the time is easy and convenient. But a 24-hour connection increases your chances of an attacker or virus scanning the network for an available computer. When you’re not using it, turn off your computer or modem, or disable the WiFi connection. Make sure you have your firewall enabled.

Speaking of firewalls, at Fordham, you can’t even log onto our secured network unless you have firewall installed. This precaution helps keep the networked and wireless connections on all of Fordham’s campuses secure. That’s why we ask you to authenticate (called Network Access Control, or the NAC), each month. We strive to keep our campus’s online environment space safe for you, 24/7.

Moreover, it’s good to get in the habit of disconnecting. Fordham IT staff often take walking meetings together. Our productivity and enthusiasm improves when we take breaks from our computers and the online world.

Tip #3 | Don’t Share THAT about Yourself Online!

Shakespeare Listens

Image: Kelli Marshall, Locating Shakespeare in the 21st Century, Vimeo

Inappropriate sharing of secrets always makes for a good plot twist in a Shakespearean play:

O negligence!
Fit for a fool to fall by: what cross devil
Made me put this main secret in the packet
I sent the king? Is there no way to cure this?
No new device to beat this from his brains?
(Henry VIII, Act 3.2)

When you meet someone new, whether it’s in your residence hall, at a party, or at work, do you immediately tell that person your full name, social security number, phone number, address, credit card and bank account numbers? Didn’t think so. You wouldn’t share most of that information with a good friend, either.

But what if you were asked, politely, a few times for the information? And what if the request came with a promise not to share any of your personal information, including your funny middle name, with anyone else? Right. Didn’t think so.

You should feel the same way about your privacy when a social media site asks you for that information. If you need to share those personal details to join the site, that’s a red flag. Walk (or surf) away from it, fast.

When you share something that’s personally identifiable with the wrong person or website, it will be quite difficult to find a “cure” and “beat” it out of his or her “brains” or database!

Read more about Cyber Security Awareness Month!

Email Storage Limit – Phishing Email Sent to the Fordham Community on 07/01/2014

This is another Phishing email that has been reported. This message was received on or about July 1st, 2014. Please DO NOT respond to this message or anything that looks like it. You may disregard and delete this message. If you have any questions about the validity of this email please contact IT Customer Care at 718-817-3999 or via email: helpit@fordham.edu.


———————-Begin Message—————————

From: User@domain.com
Date: Tue, Jul 1, 2014 at 12:05 PM
Subject: Your email account has exceeded its storage limit
To: User@fordham.edu
Dear Fordham University Webmaster subscriber,
We hereby announce to you that your email account has exceeded its storage
limit. You will be unable to send and receive mails and your email account
will be deleted from our server. To avoid this problem, you are advised to
verify your email account by clicking on the link below.
(Malicious Link)
Thank you.
The Fordham University Webmaster Management Team.

—————————–End Message—————————

Irregular Card Activity – Phishing Email Sent to the Fordham Community on 06/25/2014

This is another Phishing email that has been reported. This message was received on or about June 25th, 2014. Please DO NOT respond to this message or anything that looks like it. You may disregard and delete this message. If you have any questions about the validity of this email please contact IT Customer Care at 718-817-3999 or via email: helpit@fordham.edu.





——————— Begin Message —————————

Important Notification – Phishing Email Sent to the Fordham Community on 06/12/2014

This is another Phishing email that has been reported. This message was received on or about June 12th, 2014. Please DO NOT respond to this message or anything that looks like it. You may disregard and delete this message. If you have any questions about the validity of this email please contact IT Customer Care at 718-817-3999 or via email: helpit@fordham.edu.


——————Begin Message——————-
From: User@domain.com
Date: Wed, Jun 11, 2014 at 3:36 PM
Subject: Important Notification
To: User@fordham.edu
Dear Fordham AccessIT Mail Users
  
ACCOUNT REVIEW NOTIFICATION YOUR FORDHAM ACCESSIT MAIL ACCESS HAS BEEN FLAGGED AS ONE OF THE
NUMEROUS ACCOUNTS THAT NEEDS TO BE REVIEWED.
* Quota Usage/Inactive access/ Fraudulent activities Issues
* Abuse & Terms of Use Issues
The main reason for this action are:
WE STRONGLY NEED YOU TO REVIEW YOUR FORDHAM ACCESSIT MAIL ACCESS TO KEEP IT ACTIVE.
ONCE YOU HAVE DONE REVIEWING YOUR FORDHAM ACCESSIT MAIL  ACCESS YOUR ACCOUNT WILL BE AUTOMATICALLY REMOVE FROM FLAGGED,
AND IT WILL CONTINUE RUNNING PROPERLY.
(Malicious Link)
THANK YOU FOR HELPING US IMPROVE,
REGARDS, 
FORDHAM UNIVERSITY
©2014 Fordham University
  

——————-End Message——————–

AccesIT Mail Alert – Phishing Email Sent to the Fordham Community on 06/12/2014

This is another Phishing email that has been reported. This message was received on or about June 12th, 2014. Please DO NOT respond to this message or anything that looks like it. You may disregard and delete this message. If you have any questions about the validity of this email please contact IT Customer Care at 718-817-3999 or via email: helpit@fordham.edu.



——————Begin Message——————-

From: User@domain.com

Date: Thu, Jun 12, 2014 at 9:17 AM

Subject: Fordham AccesIT Mail Alert

To: User@fordham.edu

Dear Fordham AccessIT Webmail Users
Your Fordham AccessIT is due for updating we urge you to kindly take a few seconds to update your Fordham AccessIT webmail login access.
Failure to do so will result to account service suspension.
To update your Fordham AccessIT webmail login access kindly visit our website below to keep your Fordham AccessIT webmail login access active.
(Malicious Link)
Best Regards.
Fordham University
©2014 Fordham University
——————-End Message——————–