Have you heard of Spear and Whale Phishing?

Spear Phishing

(Photo from – https://oxen.tech/blog/spear-phishing-new-twist-old-scam/)

Spear Phishing is really what it sounds like, a directly pointed attack. The attackers gather as much information as they can from the internet to build a more personalized, and believable attack.

  

(Photo from – http://resources.infosecinstitute.com/category/enterprise/phishing/spear-phishing-and-whaling/#gref)

 Whaling

Whaling is a specific form of spear phishing, in which the attacker goes after a high-profile target associated with a business, or government entity.  These victims may include but are not limited to senators, CEO’s, and those with access to company’s finances.

  • Pay close attention to the emails you receive.
  • Look for spelling and grammatical errors. Hover over URLS to reveal the destination of the link. Also hover over the links at the bottom of the email, many times these may look functional but are not.
  • If you’re being requested to verify personal information (name, D.O.B, or SSN) don’t use any forms provided in the email. Visit the home page for the business instead and check your account that way, or call customer service for more information when possible.
  • Businesses can avoid whale phishing by simply implementing a specific stationary for their emails directed to their employees. Making it easier to spot a spoofed email.

Detailed information regarding phishing scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureITor from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

 

Alert: Tragic Event Related Scams

Via: US-CERT

“In the wake of Sunday’s tragic event in Las Vegas, US-CERT warns users to be watchful for various malicious cyber activity targeting both victims and potential donors. Users should exercise caution when handling emails that relate to the event, even if those emails appear to originate from trusted sources. Event-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, fraudulent donation websites, and door-to-door solicitations relating to the recent tragic event.

To avoid becoming victims of fraudulent activity, users and administrators should consider taking the following preventive measures:

Source: https://www.us-cert.gov/ncas/current-activity/2017/10/03/Tragic-Event-Related-Scams

What are Smishing and Vishing?

(Photo from – YouTube.com )

What is Smishing??

Smishing is SMS-Phishing, messages that are sent to your mobile device to attempt to obtain your credentials (usernames, and passwords) or financial information (credit card, and social security numbers).  While these may be a little easier to spot (How did I win $1000.00 Wal-Mart gift card if I never signed up for a contest?) we should still be mindful that the potential risk is still there.

(Photo from – https://info.phishlabs.com/blog/vishing-campaign-steals-card-data-from-customers-of-dozens-of-banks)

Vishing

Similar to Smishing is Vishing. Hackers use IVR software to try to obtain sensitive information.

As with email phishing schemes there are a few steps we can take to ensure we aren’t targets of these two forms of phishing.

  • If it sounds too good to be true, it just might be!
    • If you receive a text message from a number you don’t recognize, do not click any links that may appear in the body of that message.
    • Also if you receive a phone call from a phone number you aren’t familiar with, allow it to go to voice mail. Reputable businesses will leave you a message if necessary.
  • Avoid sharing your mobile number.
    • While there may be many offers/memberships that request your cell phone number, limiting the number of websites you enter your cell number into will reduce your risk of Smishing and Vishing.

Detailed information regarding phishing scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

 

 

 

What is Phishing?

(Photo from – http://www.uidaho.edu/infrastructure/its/departments/security/phishing-scams)

Phishing is a fraudulent communication sent that appears to come from a reputable company or person, with the intent to obtain the users credentials (usernames, and passwords) or their financial information (i.e. credit card, and Social Security numbers). While phishing is one of the oldest types of cyber scams or attacks that is still prevalent in today’s world, the criminals that launch the attacks have evolved with technology making some phishes harder to identify than others.

How do I spot a phishing scam?

  • If you don’t know the sender, don’t open the email or download any attachments.
    • Even if the sender is someone you’re familiar with or do business with, pay attention to the subject line, senders email address, and body of the email. Look for spelling mistakes, hover over any URLS to see where they will take you (DO NOT CLICK ON ANY SUSPICIOUS LINKS) and if possible contact the sender to verify the contents of the email.
  • Don’t trust that link!
    • If you receive an email requesting you log in to verify account information, navigate to their home page directly. Avoid using the links provided within the email as they may automatically download Malware to your device or take you to a website that will do so.
  • Don’t fill in those blanks!
    • Do not enter your personal information (name, D.O.B, SSN, etc.) on to a form that is embedded into a suspicious email. Again if you need to verify account information for a reputable business navigate to their page directly. 
  • Does something look off?
    • Pay attention to the emails you receive regularly, they can help you spot a phony in the future. Great phishers will recreate websites with small discrepancies, keeping an eye out for minor or careless mistakes can keep you safe.

Detailed information regarding phishing scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureITor from our blog at fordhamsecureit.blogspot.com

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

 

 

 

 

 

Don’t be a victim of a phishing scheme!

Phishing is the act of attempting to deceive a user into divulging personal or confidential information such as login credentials, credit card information, etc., to gain access to resources that enable them to steal your identity.

Phishing scams usually come in the form of email messages and false websites. Cyber criminals use social engineering to learn about their targets and then use that information to try and gather your personal information.

Below is an example of a phishing campaign scam.

phishing_email_example

Things to look for to identify that you may be targeted include:

  • Spelling and bad grammar: Phishing emails are commonly plagued with spelling and grammatical errors.
  • Links in emails: Links in emails may appear as though they are taking you to a legitimate website however they can be disguised. Hover over (DO NOT CLICK)  links and see if you are being re-routed to some other page.
  • Threats: Some emails contain threats to include legal action, time sensitive materials, etc. These are designed to convince you to make a hasty decision and click a malicious link or open a unsafe attachment.
  • Spoofing a legitimate website or company: Some emails will appear to come from a legitimate company. However that is far from the case. Again, attackers will try to make everything appear to be legitimate but things such as suspicious URL’s (pages with names not associated with the website or company), or outdated information can be tell-tale signs something is not right.

Visit us daily for more tips tips during National Cyber Security Awareness Month starting October 2nd.

If you believe you are being targeted by a phishing campaign or have received a phishing email, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu.

Netflix Scam Warning

via: malwarebytes

Always be on your toes

While we are used to receiving scam attempts pretending to be from banks, online shops, credit card companies, and international courier services that does not mean all the other emails are safe. Far from it. To demonstrate this point we will show you a scam aimed at Netflix customers which has been used in the Netherlands and is now doing the rounds in the UK but could just as easily spread to the US.

The mail in question

The sender address, in this case, was supportnetflix@checkinformation[.]com and the content of the email informs us that there has been a problem with our last payment. Obviously to those of us who are not customers of Netflix this is the first red flag. The fact that the domain name checkinformation[.]com does not belong to Netflix is another big red flag. In fact, the domain is for sale at the moment of writing.

phishing mail

Netflix

Account disabled!

Dear User,

We’re having some trouble with your current billing information. We’ll try again. But in the meantime you may want to update your payment details. During the next login process, you will be required to provide some informations like (billing info, phone number, payment info)

 

So the email asks us to fill out our payment details on a site. This should always be a red flag for everyone. A security-aware company does not provide you with a clickable button to their site. They will tell you to log into their site and provide you with instructions on how to proceed. They will not provide a direct link to a page with a form to fill out asking for billing information and what not.

Pay attention to

When you have to provide such details always look for the green padlock in the address bar of your browser.

green padlock

Remember that the green padlock is not the sole condition, but it is a must before you proceed.

Another telltale sign is spelling errors, but again, the lack of them is not a definite green light to proceed. Scammers have learned that their efficiency goes up if they pay attention to their spelling.

Also never judge a site by its looks, because phishers are masters in the art of copying the layout and images from legitimate sites. In fact, they usually link to the actual layout and images of the website they are pretending to be.

source: https://blog.malwarebytes.com/cybercrime/2017/09/netflix-scam-warning/

Hackers compromised free CCleaner software, Avast’s Piriform says

via: Reuters

SAN FRANCISCO (Reuters) – Hackers broke into British company Piriform’s free software for optimizing computer performance last month potentially allowing them to control the devices of more than two million users, the company and independent researchers said on Monday.

The malicious program was slipped into legitimate software called CCleaner, which is downloaded for personal computers and Android phones as often as five million times a week. It cleans up junk programs and advertising cookies to speed up devices.

CCleaner is the main product made by London’s Piriform, which was bought in July by Prague-based Avast, one of the world’s largest computer security vendors. At the time of the acquisition, the company said 130 million people used CCleaner.

A version of CCleaner downloaded in August included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorized programs, security researchers at Cisco’s (CSCO.O) Talos unit said.

Talos researcher Craig Williams said it was a sophisticated attack because it penetrated an established and trusted supplier in a manner similar to June’s “NotPetya” attack on companies that downloaded infected Ukrainian accounting software.

“There is nothing a user could have noticed,” Williams said, noting that the optimization software had a proper digital certificate, which means that other computers automatically trust the program.

In a blog post, Piriform confirmed that two programs released in August were compromised. It advised users of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 to download new versions. A spokeswoman said that 2.27 million users had downloaded the August version of CCleaner while only 5,000 users had installed the compromised version of CCleaner Cloud.

Piriform said that Avast, its new parent company, had uncovered the attacks on Sept. 12. A new, uncompromised version of CCleaner was released the same day and a clean version of CCleaner Cloud was released on Sept. 15, it said.

The nature of the attack code suggests that the hacker won access to a machine used to create CCleaner, Williams said.

CCleaner does not update automatically, so each person who has installed the problematic version will need to delete it and install a fresh version, he said.

Williams said that Talos detected the issue at an early stage, when the hackers appeared to be collecting information from infected machines, rather than forcing them to install new programs.

Piriform said it had worked with U.S. law enforcement to shut down a server located in the United States to which traffic was set to be directed.

It said the server was closed down on Sept. 15 “before any known harm was done”.

Source: https://www.reuters.com/article/us-security-avast/hackers-compromised-free-ccleaner-software-avasts-piriform-says-idUSKCN1BT0R9

Equifax Breach: Find out if you’re affected

via: Shannon Ortiz, Director of IT Security at Fordham University

Dear Colleagues and Students,

As you may have heard in the news, Equifax, a credit reporting agency widely used by major credit card companies, banks, retailers, and lenders (including lenders of student loans), has suffered a serious data breach affecting over 143 million people. Cybercriminals have stolen names, Social Security numbers, birth dates, addresses, and the numbers of some driver’s licenses.

Educate yourself about the breach: Equifax has set up a website, equifaxsecurity2017.com, with more information about the breach. Included is a page for checking whether your personally identifiable information (PII) was part of the breach.

If your PII was breached, Equifax gives you the option to enroll in their credit monitoring service, TrustedID Premier. Note that during the enrollment process, Equifax requires you to sign a consent form in which you agree to not take any legal action against Equifax related to the breach.

Good online hygiene: Fordham IT will NEVER ask for your username and password, or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the UISO to validate the legitimacy of these emails.

Educate yourself some more: Take the UISO’s online, self-paced course, “UISO Security Training.” The course can be accessed in Blackboard, under My Organizations. Login to Blackboard via My.Fordham.edu or directly from Fordham’s Blackboard portal.

If you need more information, please reach out to the University Information Security Office: infosec@fordham.edu

Hurricane-Related Scams (Update)

via: US-CERT

As the peak of the 2017 hurricane season approaches, US-CERT warns users to be watchful for various malicious cyber activity targeting both disaster victims and potential donors. Users should exercise caution when handling emails that relate to recent hurricanes, even if those emails appear to originate from trusted sources. Disaster-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, or door-to-door solicitations relating to the recent hurricanes.

To avoid becoming a victim of fraudulent activity, users and administrators should consider taking the following preventive measures:

Source: https://www.us-cert.gov/ncas/current-activity/2017/09/08/Hurricane-Related-Scams

9 scams every college student (and parent) needs to watch for

via: cbsnews.com

Imagine you’re a scam artist looking for a vulnerable group to prey on.

Older people are often good marks, but they’re dispersed throughout the population, so finding a group to victimize can prove problematic. The very young are often protected by parents and may not have enough money to make them worthwhile targets. But college students? Perfect.

College students are old enough to have money, young enough to be vulnerable and likely to be unsupervised and away from home for the first time. Added bonus: because they congregate by the thousands on campuses nationwide, they’re not hard to find.

Now that you’ve gotten inside the head of those who might be preying on you or someone you love, take a few minutes to study some common college scams.

1. Tuition scam

Someone calls claiming to be with your school’s administration or admissions. They warn that your tuition is late and as a result, you’ll be dropped from your classes today. You’re ordered to pay immediately, over the phone, with a credit or prepaid card.

Solution: If you get a call involving money from anyone regarding anything, get off the phone and call the office that was mentioned yourself. Simply explain to whoever is calling that you’ll be calling them back, then check the status of whatever seems to be the problem.

This scam is a variation of the old unpaid bill scam, in which someone gets a call warning of dire consequences if they don’t immediately send money. In another common iteration, it’s a fake IRS agent warning of jail time.

2. Bad behavior

College students are legendary when it comes to finding ways to get into trouble or compromising positions. But now everyone has a smartphone, and therefore a camera. So, everything can, and will, be photographed and/or captured on video. And, yes, there are people who will pretend to like you but are actually setting you up for blackmail.

One only has to recall the Ashley Madison hack of 2015 to imagine what can happen when extremely personal information falls into the wrong hands.

Solution: If you’re going to do anything at college you wouldn’t do in front of your parents or a prospective employer, think twice. If you’re around people you don’t know, and/or you have been drinking, think 10 or 20 times.

3. Fake credit cards … and real ones

The Credit Card Accountability, Responsibility, and Disclosure (CARD) Act of 2009 banned banks from heavy credit card marketing on campus, but that doesn’t mean banks and card companies don’t still actively pursue college students.

Credit cards and other accounts that are heavily solicited are the ones most likely to be loaded with bad terms, big fees and high interest rates. Even worse, some credit card solicitations might be disguising an identity thief. Tread carefully.

Solution: If you need a credit card, don’t respond to one that solicits you. Instead, do your own hunt for the best card. The best deals in many areas of life, including credit cards, are often the least advertised, so look around online (we have a credit card search here) and at local banks and credit unions. Compare fees, terms and conditions, then make an informed decision.

4. Passwords

Everyone knows not to use the same simple or easy-to-guess passwords on multiple sites, or at least everyone should know. So why do we continue to risk our digital lives by using them anyway? Don’t store passwords or other sensitive information on your phone, or laptop, or anything else that can be easily stolen.

Solution: Forget changing passwords often or creating words with special characters — experts now say that advice doesn’t make passwords any harder for a bot to crack. Instead, try to make your password a long series of unrelated words. Also consider using any number of free programs to create, track and change your passwords. You just remember one password, your password manager does the rest.

5. Advance fees

If someone wants to charge you a fat fee in exchange for a loan, job, scholarship, debt counseling, completing a FAFSA (Free Application for Federal Student Aid) or almost anything else, it’s likely either a scam or someone charging too much for doing something you can do yourself.

Solution: Whatever the situation, the higher the fee, the more suspicious you should be. When it comes to scholarship and financial aid scams, the Federal Trade Commission offers these red flags to watch for:

  • “The scholarship is guaranteed or your money back.”
  • “You can’t get this information anywhere else.”
  • “I just need your credit card or bank account number to hold this scholarship.”
  • “We’ll do all the work. You just pay a processing fee.”
  • “The scholarship will cost some money.”
  • “You’ve been selected” by a “national foundation” to receive a scholarship — or “you’re a finalist” in a contest you never entered.

6. Online books

Crooks know textbooks are a huge college expense. So they set up a site, offer great deals, collect your money, then deliver nothing.

Solution: Don’t ever buy books, or anything else, online without first checking out reviews and otherwise validating the site and/or seller. Are they listed with the Better Business Bureau (BBB)? Do they have a physical address and phone number? Do you know anyone who’s used them before?

7. Nonexistent apartments

This scam is simple: Someone offers a great apartment, collects rent and/or a deposit over the phone or online for a place they don’t own, then disappears.

Solution: Don’t ever agree to rent an apartment without seeing it, both inside and out, and meeting the landlord. And don’t hand over money until you’re standing in your new apartment, key in hand.

8. Check cashing

In this scam, a “friend” asks you to cash a check for them. Maybe they even let you keep a little bit of the money for your trouble. You take their check and give them cash. Shortly after you deposit the check, it bounces. They’re long gone, and you’re out the money, as well as a returned check fee.

Solution: If you don’t know someone very well, consider cashing a check for them a gift of money from you, because it’s likely that’s what it will turn out to be.

9. Risks on Wi-Fi

Few groups are more likely than college students to spend time online via Wi-Fi at places like coffee shops, restaurants and parks. Unfortunately, public Wi-Fi subjects you to all manner of potential foul play.

Solution: Slow down hackers and ID thieves by using password protection and encryption software. Still, don’t ever log on to banking or other sensitive sites when on public Wi-Fi. And it’s not just your laptop that’s at risk. Do you have the same protections on your smartphone?

Bottom line: Remember the three golden rules of scam avoidance

While many scams, both on-campus and off, have donned high-tech clothing in recent years, most can be avoided by remembering three old-fashioned rules:

  • If something seems too good to be true, it probably is.
  • Don’t part with personal information unless you’re sure where it’s going.
  • The more someone needs money upfront, the greater the likelihood you’re about to be robbed.

Source: https://www.cbsnews.com/news/9-scams-every-college-student-and-parent-needs-to-watch-for/