Tech Friday


  • Students targeted with back-to-school phishing and malware scams:
    • Proofpoint reported that the education sector saw the largest year-over-year increase in email fraud attacks in 2018
    • Researchers warned that students at hundreds of universities are being targeted with spoofed emails
    • Cybercriminals are taking advantage of the back-to-school frenzy, Chris Dawson, threat intelligence lead at Proofpoint, said "Cybercriminals capitalize on this atmosphere and target both students and staff to gain access to credentials and vast stores of sensitive data available in student information systems." 
    • These emails may contain attachments with a malware payload and/or links to spoofed login portals
    • Spoofed web portals steal students’ credentials which can then be used to steal and resell intellectual property, leverage internal access, conduct internal phishing, etc.
    • "Schools balance a culture of openness and information-sharing with rules and controls to effectively protect user privacy and system security while the severity and sophistication of attacks against schools continue to increase" - Dawson
    • A group named TA407/Silent Librarian has launched targeted social engineering campaigns to steal students’ login credentials from hundreds of universities.according to Proofpoint
    • The TA407/Silent Librarian attacks involve very realistic emails with links or attachments directing victims to spoofed university login portals
    • The emails typically say something like "Your library account has expired, therefore you must reactivate it immediately or it will be closed automatically. If you intend to use this service in the future, you must take action at once!"
    • The bad guys get the student's credentials and in many cases, students have used the same credentials for many sites
    • Faculty and staff have also been targeted in phishing scams
    • Cybercriminals are also targeting education themed resources such as essays or online textbooks to hide malware that will infect visitors
    • Kaspersky reported researchers discovered at least 356,000 malicious files disguised as school and student related content over the past academic year
    • More than 74,000 people downloaded 223,000 cases of malicious essays and 1/3rd of the malicious files were "textbooks"
    • English textbooks containing malware were most popular among K-12 students while Math textbooks were the next most common per Kaspersky
    • Researchers indicated these attacks are most active in the beginning of the school year, upon return from winter break and at the conclusion of the school year
    • Students should be wary of phishing emails and spoofed portals and should ignore these messages or validate them using some out-of-band method such as a phone call to the agency that purports to have sent it
    • Always be skeptical, Phishing attacks are increasingly common and sophisticated
    • Use a strong, unique password for each site
    • Consider using a secure password manager application. Intrust IT recommends LastPass
    • Enabled multi-factor (MFA) aka two-factor authentication (2FA) wherever possible
  • You can no longer trust Android "Settings Update" messages from your carrier:
    • Security researchers from Check Point Software recently warned that some Android smartphones are vulnerable to phishing attacks disguised as a carrier update text message
    • Affected models include those by Samsung, Huawei, LG, and Sony. According to the latest data from StatCounter, this impacts more than 50% of all Android phones
    • "In these attacks, a remote agent can trick users into accepting new phone settings that, for example, route all their Internet traffic through a proxy controlled by the attacker" wrote the Check Point researchers 
    • They said "This attack vector relies on a process called over-the-air (OTA) provisioning, which is normally used by cellular network operators to deploy network-specific settings to a new phone joining their network. However, as we show, anyone can send OTA provisioning messages."
    • While the attackers can't gain total control of a device using this technique, they can access all data entering and leaving the phone
    • Check Point Software disclosed the findings to the affected vendors in March
    • "We verified our proof of concept on the Huawei P10, LG G6, Sony Xperia XZ Premium, and a range of Samsung Galaxy phones, including S9" said Check Point   
    • Samsung and LG have released a fix, Huawei is planning to include a fix in the next generation of its Mate and P series devices
    • Thus far, Sony has refused to acknowledge the vulnerability
    • Unfortunately, this attack poses a significant risk to personal and corporate data contained on mobile devices
    • Users should update their phone as soon as possible
    • This is another illustration of the need to be skeptical and to use out-of-band methods validate and verify information / requests
  • Thieves target bank accounts via payment apps:
    • In the past, thieves might have used stolen paper checks to take your money, now digital fraud schemes are a high volume, low-risk option
    • Increasingly, consumers use cash transfer apps like Venmo to exchange cash because they are easy and convenient
    • Margaret Trimer logged into to her bank and saw roughly $9,000 ready to be paid to a credit card belonging to someone else
    • She called the bank and they told her that she was hit by a scam where bank accounts are raided via electronic money transfer accounts such as PayPal
    • Adam Levin, Founder of CyberScout said "PayPal accounts are prime targets for scammers because they are linked to the user's bank account or payment card"
    • If a thief can get login credentials for the mobile payment account, they can steal your money
    • Phishing attacks and fake landing pages are common ways that thieves can get your credentials (user name and password)
    • Additionally, thieves may buy credentials off the Dark Web because they know many people use the same credentials on multiple sites
    • "It's remote. I can drain your account without ever having to do anything in person" - Al Pascual, Javelin Strategy & Research 
    • Javelin's research reported that more than $500 million was lost to fraud involving a variety of peer-to-peer payments in 2017
    • If you get hit, you will have to work with the bank to resolve the issues, and you may have issues with any accounts set up for automatic payment
    • Thankfully, Trimer did not lose money because she reached out to the back immediately
    • Note that banks will not ask you to verify information via email or text
    • What can you do?
      • Check your bank accounts regularly  
      • Don't click links in e-mails or texts
      • Don't give out payment application information to strangers
      • Use a unique strong password for each and every site
      • Use a secure password manager to make it easy to use strong password on each site/app
      • Enable multi-factor authentication (MFA) wherever possible
      • Don't save passwords or credit information on any website
      • Get one credit card with built in fraud insurance and cyber liability for specifically for online purchases
      • Read the Terms of Service (TOS) of any digital payment application very carefully
      • If you detect any anomalous activity, contact your bank immediately
      • Be skeptical!