Go to the U of M home page

Friday, July 20, 2018

Advisory: Scam Extortion Using Leaked Passwords

Attempt to extort bitcoin payment using passwords from data breaches.

Scam Details

  • Victim's email and a password are exposed in a data breach, i.e. Linked-in, etc.
  • Attacker crafts an email to that email address "revealing" they know the password, with the following details:
  • They have installed malicious software on the victim's computer 
  • They have used the victim's computer camera to secretly record the victim watching porn
  • They will send the recording to the user's contacts unless the victim sends bitcoin payment to buy their silence.

What's Going On

Data breaches are all too common - many yielding large "dumps" of email addresses and passwords. The attackers in this scenario are using this information to trick their victim into thinking they have been compromised - which is very, very unlikely. The most convincing piece of information is that they know a single password that the victim used somewhere at some time. Unless they use the same password everywhere (note: this is a very bad practice) it isn't going to unlock their computer.

How You Can Protect Yourself
  • Use unique, strong,  passwords for each account.
  • Use a password manager to track your passwords. (en.wikipedia.org/wiki/Password_manager)
  • Subscribe to haveibeenpwned.com to learn if your email has shown up in password dumps - change any password if an account turns up.
  • You can use haveibeenpwned.com to check to see if your email address has shown up in the past in any password breaches. [Note: haveibeenpwned will not tell you the password that was exposed, but it will tell you the date of the exposure. If your current password is newer than that date, you do not need to update your password.]

Wednesday, July 18, 2018

Example 221: University J0b Recruiting / Artnet Job Offer

Scam offers for employment sent to students using an image file to present the offer.

Messages text:

Date: Wed, Jul 18, 2018 at 12:44 AM
Subject: Re: Artnet Job Offer

*find attached..*
The above had this customized IMAGE file delivering the message:

Date: Tue, Jul 17, 2018 at 11:26 PM
Subject: University J0b Recruiting
Dear selected Candidate,
Your university recruiting department has selected you for an on-campus
offer. Please find attached..
This message, sent by a different email as the first, included this image with the gmail address used in the other "Artnet" offer:

Things to note:
  • Sender is unknown 
  • Email text sent as image file - presumably to avoid being detected as spam
  • Message follows standard "money mule" come-on

What is a money mule?

A money mule is someone recruited by criminals to transfer the profits of their illegal activities. The money may have been stolen directly from another bank account or may be the profits of fraud, drug trafficking, child labour or prostitution. Most of the criminals carrying out this type of crime are located abroad, so a money mule based in the UK is required to transfer the money overseas.
Although some money mules know that they are handling stolen money, criminals also target groups such as university students to unwittingly laundering the funds on their behalf.

Advisory: FTC Issues Alert on Tech Support Scams

FTC Issues Alert on Tech Support Scams

The Federal Trade Commission has released an alert on tech support scams. Scammers use pop-up messages, websites, emails, and phone calls to entice users to pay for fraudulent tech support services to repair problems that don’t exist. Users should not pay or give control of their devices to any stranger offering to fix problems. 
NCCIC encourages users and administrators to refer to the FTC Alert and the NCCIC Tip on Avoiding Social Engineering and Phishing Attacks for more information. If you believe you are a victim of a tech support scam, file a complaint at www.FTC.gov/complaint.

Monday, July 9, 2018

Advisory: Reports of scam caller 'spoofing' 911

Spoofed calls "from" 911 used to steal personal information.

MARQUETTE COUNTY, Mich. (WLUC) - Marquette County Central Dispatch/Emergency Management received a report of a caller ID spoofing incident using “911” as the callback number here in Michigan.
A bad actor using 911 as the caller ID called a citizen and said that someone in their family had been in an accident and started to ask for personal information. The citizen called her family member and found out they were fine. If this ever happens to you, please remember this:
• If you get a voice call from 911, it will NOT be on a 911 line. If the 911 center calls you, it will always be on a 10-digit line, not a 911 line.
• The only time that the digits 911 will show up as an incoming communication will be via a text.
• If you receive a call from someone who says that they are from 911 or other public safety department (police, fire, or EMS), ask them for the number they can be reached at and call them back.
• NEVER give your social security, credit card, or insurance information over the phone.

Monday, June 11, 2018

Example 220: Email xxxx@umn.edu De-Activation

Personalized "warning" of email account closure

Message text:

From: <administrator@mail.com>
Date: Mon, Jun 11, 2018 at 4:48 AM
Subject: Email xxxx@umn.edu De-Activation
To: xxxx@umn.edu

Server Message

*Dear xxx@umn.edu
Our record indicates that you requested to close your recent email:
xxxx@umn.edu. This requires that we verify with you as soon as possible.
If the request was accidentally made and you have no knowledge of it, you
may now cancel the request below
*Cancel Request*
Note: Failure to cancel this request within 24 hours will result to Email
Service De-Activation (ESD) and all email data will be permanently lost.
*Email Administrator*
This message is auto-generated from E-mail security server, and replies
sent to this email can not be delivered.
This email is meant for: *xxxx@umn.edu <xxxx@umn.edu>*

Web forms:

fake login form to keep account from being "canceled"
fake login form to keep account from being "canceled"\
Claims of "success" in keeping account active
Claims of "success" in keeping account active

Things to note:

  • Email is personalized to individual recipient
  • Web form link carries ID info so webforms have account name
  • No UMN branding in forms
  • Email does not come from a UMN.EDU address
  • Email has no contact information
  • Filling in the form "fails" and makes you try again
  • Filling in the second time "succeeds" then redirects you to a real umn.edu page.

Thursday, May 24, 2018

Advisory: FBI Releases Article on Building a Digital Defense with Credit Reports

Summary: FBI has released an article on using credit reports to build a digital defense against identify theft.

FBI has released an article on using credit reports to build a digital defense against identify theft. FBI explains how identity theft can deal a devastating blow to consumers' credit history. However, regularly checking the accuracy of credit reports can help consumers minimize risk.
NCCIC encourages consumers to review the FBI Article and NCCIC's Tip on Preventing and Responding to Identity Theft.

Tuesday, May 22, 2018

Advisory: Tragedy-Related Scams

Summary: In the wake of the recent Texas school shooting, NCCIC advises users to watch out for possible malicious cyber activity 

In the wake of the recent Texas school shooting, NCCIC advises users to watch out for possible malicious cyber activity seeking to capitalize on this tragic event. Users should exercise caution in handling emails related to the shooting, even if they appear to originate from trusted sources. Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations are also common after tragic events. Be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to the event.
To avoid becoming a victim of fraudulent activity, NCCIC encourages users and administrators to review NCCIC's Tips on Using Caution With Email Attachments and Avoiding Social Engineering and Phishing Attacks as well as the Federal Trade Commission's article on Before Giving to a Charity.