Go to the U of M home page

Wednesday, May 31, 2017

Phishing Alert: Lawsuit Phone Scam

Scam phone calls deliver an automated lawsuit threat.

We've had reports from our community that match this scam reported by the University of Pittsburgh:

....a new phishing phone scam that has been received by members of the University community. The scam uses an automated voice message that instructs you to call a phone number before a lawsuit is filed against you with the county courthouse.
The following is a transcript of the fraudulent phone scam. If you receive this message (or any message similar to it), delete the voice message without replying or calling back the number. 
We are calling you about a lawsuit, which has been filed on your name. So before we go with legal matter and send this case to the local county courthouse, kindly call us back on our number which is [number removed]. Thank you and goodbye.

Friday, May 12, 2017

Krebs: U.K. Hospitals Hit in Widespread Ransomware Attack

A timely reminder to make sure your computer is updated.

The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.
The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.

U.K. Hospitals Hit in Widespread Ransomware Attack

At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware, a type of malicious software that encrypts a victim’s documents, images, music and other files unless the victim pays for a key to unlock them.
It remains unclear exactly how this ransomware strain is being disseminated and why it appears to have spread so quickly, but there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft.

In a statement, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks.
“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said. “At this stage we do not have any evidence that patient data has been accessed.”
According to Reuters, hospitals across England are diverting patients requiring emergency treatment away from the affected hospitals, and the public is being advised to seek medical care only for acute medical conditions.
NHS said the investigation is at an early stage but the ransomware that hit at least 16 NHS facilities is a variant of Wanna Decryptor (a.k.a. “WannaCry“), a ransomware strain that surfaced roughly two weeks ago.
Lawrence Abrams, owner of the tech-help forum BleepingComputer, said Wanna Decryptor wasn’t a big player in the ransomware space until the past 24 hours, when something caused it to be spread far and wide very quickly.
“It’s been out for almost two weeks now, and until very recently it’s just been sitting there,” Abrams said. “Today, it just went nuts. This is by far the biggest outbreak we have seen to date.”
For example, the same ransomware strain apparently today also hit Telefonica, one of Spain’s largest telecommunications companies. According to an article on BleepingComputer, Telefonica has responded by “desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.”
An alert published by Spain’s national computer emergency response team (CCN-CERT) suggested that the reason for the rapid spread of Wanna Decryptor is that it is leveraging a software vulnerability in Windows computers that Microsoft patched in March.
According to CCN-CERT, that flaw is MS17-010, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another.
That SMB flaw has enabled Wanna Decryptor to spread to more than 36,000 Windows computers so far, according to Jakub Kroustek, a malware researcher with Avast, a security firm based in the Czech Republic.
“So far, Russia, Ukraine, and Taiwan leading,” the world in new infections, Kroustek wrote in a tweet. “This is huge.”
Abrams said Wanna Decryptor — like many ransomware strains — encrypts victim computer files with extremely strong encryption, but the malware itself is not hard to remove from infected computers. Unfortunately, removing the infection does nothing to restore one’s files to their original, unencrypted state.
“It’s not difficult to remove, but it also doesn’t seem to be decryptable,” Abrams said. “It also seems to be very persistent. Every time you make a new file [on an infected PC], it encrypts that new file too.”
Experts may yet find a weakness in Wanna that allows them to way to decode the ransomware strain without paying the ransom. For now, however, victims who don’t have backups of their files have one option: Pay the $300 Bitcoin ransom being demanded by the program.
Wanna Decryptor is one of hundreds of strains of ransomware. Victims who are struggling with ransomware should pay a visit to BleepingComputer’s ransomware help forum, which often has tutorials on how to remove the malware and in some cases unlock encrypted files without paying the ransom. In addition, the No More Ransom Project also includes an online tool that enables ransomware victims to learn if a free decryptor is available by uploading a single encrypted file.

Tuesday, May 9, 2017

Advisory: FTC Promotes Privacy Awareness Week

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

05/08/2017 10:39 PM EDT

Original release date: May 08, 2017
The Federal Trade Commission (FTC) has released an announcement on Privacy Awareness Week, celebrated this week in the U.S. The theme of this year’s initiative is “Share with Care,” and the FTC is offering privacy tips, including how to safeguard your information online, improve your computer security, and limit unwanted emails.
US-CERT encourages users and administrators to review FTC’s post on Privacy Awareness Week and these related resources from US-CERT:


Monday, May 8, 2017

Example 198: Email Update!

Scam email update sent from a compromised UMN account

Message text
Subject:    Email Update!
Date:   Mon, 8 May 2017 20:03:37 +0100
From:   compromised UMN account <xxx @umn.edu>
Reply-To:   gmail account

We are using this opportunity to notify the Students, Staffs and Alumni
of University of Minnesota that an update is being done on all accounts.
We strongly advise that you update <hxxp:// tinyurl.com/ xxxxx > your
account promptly to avoid closure/inconvenience on your account, kindly
do this immediately.
IT Admin
Login form

Minnesota bogus branded simple login form
Minnesota bogus branded simple login form

Things to note

  • Form uses tinyurl to mask non-umn login address
  • Form is modestly branded
  • Form shows password in the clear

Example 197: Your Edu Webmail Expired on 05.08.2017,Update

 Non-branded email and form claiming to warn about email account.

Message text

Subject:    Your Edu Webmail Expired on 05.08.2017,Update
Date:   Mon, 8 May 2017 12:40:19 +0000
Your Webmail Edu account certificate expired on 05.08.2017, it may
interrupt your email delivery configuration, and POP account settings
page error when messaging. To re-new your webmail certificate, please
take a moment to update your records per link below or copy and paste link.
Account will function as normal after the verification process, webmail
and your certificate will be re-newed.
Web form

non-branded, simplistic phishing form
non-branded, simplistic phishing form

Thursday, May 4, 2017

Advisory: NO, no one has shared a document on Google Docs with you

Email Attack Hits Google: What to Do if You Clicked


A screen shot of an email received by a New York Times reporter on Wednesday that included a link that appeared to be for a Google document. (Identifying information has been redacted.)

Google said it was investigating an email scam winding its way through inboxes across the country and had disabled the accounts responsible for the spam.
The scheme emerged Wednesday afternoon, when spammers dispatched malicious email, appearing to come from people the recipients knew, beckoning them to click on what appeared to be a shared Google document.                    ........
If you receive suspicious email, here are some tips:
1. Do not click, even when the email is from your mother.
2. Turn on multifactor authentication.
       (this is coming for all UMN users soon, stay tuned)
3. Shut it down.
Go to https://myaccount.google.com/permissions
Revoke access to “Google Docs” (the app will have access to contacts and drive).
4. Change your passwords ... again.
5. Report it.
Report any phishing attacks to Google by clicking the downward arrow at the top right of your inbox and selecting “Report Phishing.” Companies count on those reports to investigate such scams and stop them.

See also: