Go to the U of M home page

Monday, November 12, 2018

Advisory: "The Boss Needs iTunes Gift Cards For Customers... NOW"

Good summary of scam emails "from" the boss requesting purchase of iTune (or other) gift cards.

NOTE: This is not hypothetical - we've seen multiple attempts to use this fraud against the University of Minnesota community.

From blog.knowbe4.com:

If you ever wondered if those iTunes gift card phishes really work, see the below email exchange.
Yep, that overzealous employee actually drove around town from store to store picking up iTunes gift cards for the bad guys because there was a limit on the number of cards that could be bought at any one store at one time.
All told poor Emily bought TWENTY $100.00 iTunes gift cards for these criminals. Still worse, she put them ON HER OWN PERSONAL CREDIT CARD!
Wonder if her company will reimburse her? Kinda feel sorry for her. Sometimes it helps to get security awareness training from your organization. Emily was not trained. Don't be Emily.
Here is the email exchange in chronological order. Note the time stamps are the originals and from different time zones. Names are changed to protect the innocent. John Carpenter is the C-level executive of "distracted.com" and was spoofed by the bad guys.  



From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:20 AM
To: Emily Walker <ewalker@distracted.com>
Subject: Respond
Let me know when you are available. There is something I need you to do.
I am going into a meeting now with limited phone calls, so just reply my email.
John Carpenter
Sent from my iPad
-----------------------------
Subject: RE: Respond
Date: 6 September 2018 at 21:24:35
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
Did you intend to send this to me?
Emily Walker
Project Manager
Sent from my iPhone
-----------------------------
From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:28 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond
Yes Emily, can you get this done ASAP? I need some couple of gift cards.
There are some listed clients we are presenting the gift cards. How
quickly can you arrange these gift cards because i need to send them
out in less than an hour. I would provide you with the type of gift
cards and amount of each.

Sent from my iPad
---------------------
Subject: RE: Respond
Date: 6 September 2018 at 21:48:03
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
Can do now. I’ll put on my credit card. Send me the following:
Type
Number
Amount
Emily Walker
Project Manager

Sent from my iPhone
-------------
From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:52 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond

The type of card I need is Apple iTunes gift cards. $100 denomination,
I need $100 X 20 cards. You might not be able to get all in one store,
you can get them from different stores. When you get the cards, Scratch
out the back to reveal the card codes, and email me the codes. How soon
can you get that done? Its Urgent.
Sent from my iPad
--------------------------

Subject: RE: Respond
Date: 6 September 2018 at 21:55:17
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
I can do now. Do you want me to do online instead?
Emily Walker
Project Manager

Sent from my iPhone
-------------------------

On Sep 6, 2018, at 11:57 AM, John Carpenter <officeexec.mails@inbox.lv> wrote:
I need you get physical card from the store
Sent from my iPad
---------------------------
Subject: Re: Respond
Date: 6 September 2018 at 22:01:32
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
On my way to store now. What time need by?
Sent from my iPhone
---------------------

On Sep 6, 2018, at 12:05 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
As soon as you can. I will await codes
Sent from my iPad

--------------------------
Subject: Re: Respond
Date: 6 September 2018 at 22:13:37
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
If choice between the two do you want $15 or $25?
Sent from my iPhone
---------------------

On Sep 6, 2018, at 12:16 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
$100
Sent from my iPad
----------------

Subject: Re: Respond
Date: 6 September 2018 at 22:51:58
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>

Just texted you the first 11 codes. Heading to another store now. 5 and 6 limit per store.
Sent from my iPhone
------------------------
On Sep 6, 2018, at 12:54 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
Email the codes to me
Sent from my iPad
---------- 
End of email thread. One hour and twenty five minutes later, the bad guys had 2 thousand dollars in iTunes gift cards in their hands and Emily had charged all of them on her personal credit card. OUCH!
I suggest you send the following to your employees in accounting specifically. You're welcome to copy, paste, and/or edit:
The bad guys are getting creative with hybrid giftcard  / CEO Fraud scams, There is a massive campaign underway where they are impersonating an executive and urgently ask for gift cards to be bought for customers. The numbers need to be emailed or texted to the boss, after they are physically bought at stores. N ever comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it's OK to say "no" to the boss!
Can Your Domain Be Spoofed?

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
 
https://blog.knowbe4.com/scam-of-the-week-the-boss-needs-itunes-gift-cards-for-customers...-now

Wednesday, October 3, 2018

Advisory: Facebook breach: what to do next

FTC advice regarding the recent Facebook breach.

Facebook breach: what to do next

Facebook recently announced the largest breach in the company’s history. The breach affected about 50 million users, allowing hackers to take over their accounts. If you use Facebook, you may be wondering what to do next. Here are a few steps you can take.
First, you probably want to know more about the breach. According to Facebook, the attackers took advantage of a weakness in the “View As” feature, which lets people see what their profile looks like to others. The hackers stole digital keys that keep you logged in to Facebook so you don’t need to re-enter your password every time. Facebook says they’ve fixed the vulnerabilities and reset digital keys on 50 million affected accounts, plus an additional 40 million accounts that used the “View As” function.
To better protect yourself after this breach:
  • Watch out for imposter scams. With access to your Facebook account, hackers can get a lot of information about you. That information could be used to impersonate people you know or companies you do business with. If someone calls you out of the blue, asking for money or personal information, hang up. Then, if you want to know for sure if the person calling you was really your family member or was really from a company you know and trust, call them back at a number you know to be correct before you give any information or money. And remember: anyone who demands that you pay by gift card or by wiring money is scamming you. Always.
     
  • Consider changing your password. Facebook says that it fixed the vulnerability, so there’s no need to change your password. But, to be safe, log in and change your password anyway. If you use the same password other places, change it there, too. Don’t forget to change your security questions, as well – especially if the answers include information that could be found in your Facebook account.
For more information about what to do after a data breach, visit IdentityTheft.gov/databreach and watch the FTC’s video on What to Do After a Data Breach.
If you learn that someone has misused your personal information, go to IdentityTheft.gov to report identity theft and get a personal recovery plan. Because recovering from identity theft – and data breaches – is easier with a plan.

Tuesday, October 2, 2018

Advisory: 5 Easy Ways to Protect Yourself Online

Tips from staysafeonline.org:

Every day, it seems we hear about a new internet scam, from Nigerian princesrequesting a wire transfer of $10,000 to online dating catfishing. As helpful as the internet can be, such stories are worrisome.

While the internet can sometimes seem like a jungle of a million different threats, you can take steps to protect yourself. Here are five easy, free and quick ways to safeguard yourself.
  1. Enable Two-Step Authentication
Also known as multi- or two-factor authentication or login approval – two-step verification provides an extra layer of security beyond your username and password to protect against account hijacking. When using this security mechanism, you will log in using your password and then be prompted verify your identity again. This second verification is usually done via a biometric (fingerprint or face scan), security keys or a unique one-time code through an app on your mobile device.
Many websites and companies offer two-step verification, and they make it easy to set up this second layer – usually found in the settings section of your account. Using two-step authentication can help you feel more secure, especially for sites containing your financial information.
....
  1. Check a Site’s SSL Certificate ....
  2. Don’t Save Financial Information on Shopping Sites ...
  3. Be Careful Who You Trust  ...
  4. Create Strong, Unique Passwords ...

Friday, September 21, 2018

Advisory: Credit Freezes are Free: Let the Ice Age Begin

Good news - credit freezes are now free in every US State - this is a valuable tool to prevent identity thieves from accessing your credit history, from krebsonsecurity.com:


SEP 18

Credit Freezes are Free: Let the Ice Age Begin

It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.
Enacted in May 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act rolls back some of the restrictions placed on banks in the wake of the Great Recession of the last decade. But it also includes a silver lining. Previously, states allowed the bureaus to charge a confusing range of fees for placing, temporarily thawing or lifting a credit freeze. Today, those fees no longer exist.
A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file).  ....

Thursday, September 20, 2018

Advisory: Business E-Mail Compromise

FBI warning of scam email threat called business e-mail compromise (BEC).


Since 2013, when the FBI began tracking an emerging financial cyber threat called business e-mail compromise (BEC), organized crime groups have targeted large and small companies and organizations in every U.S. state and more than 100 countries around the world—from non-profits and well-known corporations to churches and school systems. Losses are in the billions of dollars and climbing.

At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented, according to law enforcement officials, and professional businesspeople continue to fall victim to the scheme.

Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals.

“BEC is a serious threat on a global scale,” said Special Agent Martin Licciardo, a veteran organized crime investigator at the FBI’s Washington Field Office. “And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims.”    ...

Timeline of business e-mail compromise attack
Timeline of business e-mail compromise attack
See also:

Saturday, September 15, 2018

Advisory: Potential Hurricane Florence Phishing Scams

Alert from US-CERT warning of scams trading off of current weather emergency.

Potential Hurricane Florence Phishing Scams


Original release date: September 14, 2018
NCCIC warns users to remain vigilant for malicious cyber activity seeking to exploit interest in Hurricane Florence. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a subject line, attachments, or hyperlinks related to the hurricane, even if it appears to originate from a trusted source. NCCIC advises users to verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. Contact information for many charities is available on the BBB National Charity Report Index. User should also be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to the hurricane.
NCCIC encourages users and administrators to review the following resources for more information on phishing scams and malware campaigns:

Wednesday, September 5, 2018

Advisory: Active Phishing Campaign Targeting Student Email Accounts

Federal Student Aid (FSA) has identified a malicious phishing campaign that may lead to potential fraud associated with student refunds and aid distributions.

If you have any concerns about any suspicious financial aid messages you receive, contact One Stop for assistance: 


What is happening: Multiple institutions of higher education (IHEs) have reported that attackers are using a phishing email to obtain access to student accounts via the IHE student portal (see example phishing email below). The nature of the requests indicates the attackers have done some level of research and understand the schools’ use of student portals and methods. These attacks are successful due to student compliance in providing requested information and the use of just one factor for authentication.
Upon gaining access to the portal, the attacker changes the student’s direct deposit destination to a bank account controlled by the attacker. As a result, FSA refunds intended for the student are sent to the attacker. FSA believes that attackers are practicing and refining the scheme on a smaller scale now and that this will emerge as a prominent threat against IHEs during periods when FSA funds are disseminated in large volumes.

 Example of phishing message
Example of phishing message