Go to the U of M home page

Wednesday, November 28, 2018

Advisory: Risks of Falling for a Phishing Scam

Advice on what happens if you get phished. From it.umn.edu:

You are popular. REALLY popular. Right now, there are people all over the world writing email, building websites for you
Unfortunately a lot of this work is aimed at one thing - collecting passwords tied to your email address. 
Now, getting into your email alone is kind of a big deal. Just think about all the business we conduct - personal or work-related - and how it flows through email. But that’s only the start of what can happen when you lose control of that password. 
At the University our email address and password are the keys that unlock paychecks, student loans, library resources, and network access. That’s a nice treasure chest of loot for the would be cyber pirate - but wait, there’s more! 
It’s not unusual to use the same password on multiple sites - we’ve all got so many to remember, right? And, oh! What do most sites use for login ID - yes, your email address! So, when some crook nabs your email address and password, they’re free to try it at Amazon, Apple, Netflix, Spotify or you name it. If you use the same password across multiple sites you’ve just created a skeleton key that opens way too many accounts.

There’s hope!

With the roll out of Duo Security at the University of Minnesota, we’ve put a significant roadblock in front of the phishers. Once you enable Duo Security on your account, your password alone will not grant access to your UMN resources (though some, for example, VPN and WiFi are not protected by Duo Security). 
Many, if not most, non-UMN resources can use two factor authentication. Take some time to protect your other accounts. Check out https://twofactorauth.org/ for information on what you can do to add this important tool to your other accounts. 
Next - stop using the same password on multiple accounts. Get a system to manage your passwords - even a paper notebook is a solution. But tools like Lastpass, Password Safe, or Keepass will give you a lot of power in managing your many accounts. Also, be sure to set up a strong password or passphrase, here are some tips
And remember - a very strong way to assert control over your accounts is to change your password. If ever you are concerned that your password has been stolen - change it! It’s as simple as going to my-account.umn.edu
One last tip from Brad Paisley: “The Internet Is Forever.” In other words, do not reuse old passwords. There is a worldwide active market in stolen passwords - once stolen, the passwords on those lists never go out of circulation. So don’t go back to that favorite password from long ago!

Monday, November 12, 2018

Advisory: "The Boss Needs iTunes Gift Cards For Customers... NOW"

Good summary of scam emails "from" the boss requesting purchase of iTune (or other) gift cards.

NOTE: This is not hypothetical - we've seen multiple attempts to use this fraud against the University of Minnesota community.

From blog.knowbe4.com:

If you ever wondered if those iTunes gift card phishes really work, see the below email exchange.
Yep, that overzealous employee actually drove around town from store to store picking up iTunes gift cards for the bad guys because there was a limit on the number of cards that could be bought at any one store at one time.
All told poor Emily bought TWENTY $100.00 iTunes gift cards for these criminals. Still worse, she put them ON HER OWN PERSONAL CREDIT CARD!
Wonder if her company will reimburse her? Kinda feel sorry for her. Sometimes it helps to get security awareness training from your organization. Emily was not trained. Don't be Emily.
Here is the email exchange in chronological order. Note the time stamps are the originals and from different time zones. Names are changed to protect the innocent. John Carpenter is the C-level executive of "distracted.com" and was spoofed by the bad guys.  



From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:20 AM
To: Emily Walker <ewalker@distracted.com>
Subject: Respond
Let me know when you are available. There is something I need you to do.
I am going into a meeting now with limited phone calls, so just reply my email.
John Carpenter
Sent from my iPad
-----------------------------
Subject: RE: Respond
Date: 6 September 2018 at 21:24:35
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
Did you intend to send this to me?
Emily Walker
Project Manager
Sent from my iPhone
-----------------------------
From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:28 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond
Yes Emily, can you get this done ASAP? I need some couple of gift cards.
There are some listed clients we are presenting the gift cards. How
quickly can you arrange these gift cards because i need to send them
out in less than an hour. I would provide you with the type of gift
cards and amount of each.

Sent from my iPad
---------------------
Subject: RE: Respond
Date: 6 September 2018 at 21:48:03
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
Can do now. I’ll put on my credit card. Send me the following:
Type
Number
Amount
Emily Walker
Project Manager

Sent from my iPhone
-------------
From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:52 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond

The type of card I need is Apple iTunes gift cards. $100 denomination,
I need $100 X 20 cards. You might not be able to get all in one store,
you can get them from different stores. When you get the cards, Scratch
out the back to reveal the card codes, and email me the codes. How soon
can you get that done? Its Urgent.
Sent from my iPad
--------------------------

Subject: RE: Respond
Date: 6 September 2018 at 21:55:17
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
I can do now. Do you want me to do online instead?
Emily Walker
Project Manager

Sent from my iPhone
-------------------------

On Sep 6, 2018, at 11:57 AM, John Carpenter <officeexec.mails@inbox.lv> wrote:
I need you get physical card from the store
Sent from my iPad
---------------------------
Subject: Re: Respond
Date: 6 September 2018 at 22:01:32
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
On my way to store now. What time need by?
Sent from my iPhone
---------------------

On Sep 6, 2018, at 12:05 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
As soon as you can. I will await codes
Sent from my iPad

--------------------------
Subject: Re: Respond
Date: 6 September 2018 at 22:13:37
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
If choice between the two do you want $15 or $25?
Sent from my iPhone
---------------------

On Sep 6, 2018, at 12:16 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
$100
Sent from my iPad
----------------

Subject: Re: Respond
Date: 6 September 2018 at 22:51:58
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>

Just texted you the first 11 codes. Heading to another store now. 5 and 6 limit per store.
Sent from my iPhone
------------------------
On Sep 6, 2018, at 12:54 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
Email the codes to me
Sent from my iPad
---------- 
End of email thread. One hour and twenty five minutes later, the bad guys had 2 thousand dollars in iTunes gift cards in their hands and Emily had charged all of them on her personal credit card. OUCH!
I suggest you send the following to your employees in accounting specifically. You're welcome to copy, paste, and/or edit:
The bad guys are getting creative with hybrid giftcard  / CEO Fraud scams, There is a massive campaign underway where they are impersonating an executive and urgently ask for gift cards to be bought for customers. The numbers need to be emailed or texted to the boss, after they are physically bought at stores. N ever comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it's OK to say "no" to the boss!
Can Your Domain Be Spoofed?

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
 
https://blog.knowbe4.com/scam-of-the-week-the-boss-needs-itunes-gift-cards-for-customers...-now