NYU IT Security News and Alerts

NYU IT Security News and Alerts

Imposter Scams

Imposter scams take various forms, but what they all have in common is that a scammer poses as someone you know and attempts to obtain personal or sensitive information from you. Scammers may pose as someone you know personally or someone in a shared group or organization, such as your place of employment, or someone from a known and trusted organization such as your bank or the IRS. To learn more about different types of imposter scams, please visit www.ftc.gov/imposters, which is an FTC web page containing videos and other resources detailing many common imposter scams.

Accordingly, University employees may receive forged communications purporting to come from an NYU executive or higher up seeking access to resources or sensitive information. These types of communications may arrive via email, text, social media or a phone call. Please be mindful that phone numbers and email addresses may be spoofed, so a communication may appear to be legitimate when it’s not. You may wonder how a scammer would know to target you for certain types of information and what security recommendations can be offered for requests you may receive – please read on!  

Social engineers review and harvest information from social media and public facing websites to use in targeted attacks. This is why it’s always advisable to limit what you post online about yourself, others and your employer. It is also always advisable to call the requester at a trusted phone number, such as their NYU Directory phone number, to confirm the request received.

Please take note of the following additional recommendations:

  • Take the time needed to examine all requests received and do not let a sense of urgency, which may accompany a request, speed your review.
    • Be on the lookout for anything unfamiliar, such as a salutation, closing, or language that the requester world not use.
    • Be wary of requests which ask you to bypass established processes/procedures.
    • Scammers may spoof an email address or use an email address that is similar to the sender’s email address. With spoofed email addresses, the address looks correct, but another email address displays when you hover over it.
    • Scammers may also use an email address that does not exist. For example, HR@nyu.edu is not an actual NYU email address.
    • Be suspicious of any request for information or access to resources that purports to be from an NYU executive or higher up that is received via social media.
  • Report imposter scams to phishing@nyu.edu.
  • Please see the following KBase article for tips on identifying phishing generally: Recognizing phishing scams and protecting yourself online.  

Resources:

https://www.consumer.ftc.gov/features/feature-0037-imposter-scams
https://www.consumer.gov/articles/imposter-scams\
https://wp.nyu.edu/itsecurity/2018/11/16/gift-card-scams

Gift Card Scams

Please be advised that gift card scams are on the rise. In these types of scams social engineers commonly pose as a trusted contact – an executive, a faculty member, the president of an institution or organization .  . . etc., and request that you purchase gift cards in connection with a fundraiser, charity or organizational event and provide them with the redemption codes found on the back of gift cards. Once a victim supplies the redemption code, the value of the card is stolen and card use cannot be traced.  

Reported scam details include:

  • This type of scam may occur via email, text message, social media contact or phone call.
  • The malicious actors may state that they are too busy to purchase the requested gifts cards and ask for your assistance in doing so or they may pose as person you know, who is in urgent need of some type assistance via a gift card.
  • Scammers are requesting gift cards from a variety of merchants including iTunes, Google Play, Amazon, Target, Walgreens and Walmart.

Recommendations:

  • Closely scrutinize all messages asking you to make a purchase or disclose sensitive information. For tips on recognizing phishing scams and evaluating email messages you receive, please see the following NYU IT Connect article, Phishing, Spear Phishing and Whaling and the following KBase article, Recognizing phishing scams and protecting yourself online.   
  • If you receive a message/call asking you to make a gift card purchase, or asking that you disclose sensitive/confidential information, verify with the requestor via trusted means of contact, such as a known phone number. Do not use a phone number provided as part of the request.
  • If you fall victim to a gift card scam, the FTC advises that you report it to the merchant and to the FTC at ftc.gov/complaint.

Resources:

Evernote 6.15 for Windows Upgrade Advisory

A cross-site scripting (XXS) vulnerability has been discovered in version 6.15 of Evernote for Windows. This vulnerability can be leveraged to run programs remotely on a victim’s computer. Specifically, a malicious actor could embed a link that loads malicious script in the file name of an image inside of a note, and send it to a victim. If viewed in presentation mode, the NodeWebKit will automatically execute the code, allowing it to open system programs and files.   

Evernote has patched this vulnerability in its 6.16.1 beta update. It is recommended that Evernote for Windows users apply this update asap.

Resources

Apache Struts Upgrade Advisory

Users and Admins of Apache Struts 2.3.36 and prior versions are advised to immediately upgrade to 1.3.3, which is the latest version of the Commons FileUpload Library. This upgrade address a remote code execution vulnerability. Please note that versions 2.5.12 and subsequent versions are not impacted. For more information, please see the following Apache security advisory.  

Shop Safely This Holiday Season & Beyond

holiday themed image showing open laptop with credit card near track-pad, coffee and holiday themed items are visible near the laptop

 

The holiday season is the ideal time for cybercriminals to take advantage of unsuspecting or inattentive online shoppers. Protect your purchases, your sensitive information, your devices and the the data stored thereon by making sure these precautions are part of your online shopping habits:

  • Regularly patch/update all of your devices – this is a general best practice – all internet connected devices, including IoT devices, should be regularly patched and updated. Patches address known vulnerabilities which malicious actors seek to exploit.
  • Strengthen your logins – fortify your online accounts whenever possible with the strongest authentication available, whether it’s multi-factor authentication (“MFA”) which involves authentication with a device and an application or code, or biometric authentication which may involve the use of a fingerprint or facial recognition software.
    For more information on NYU MFA, please visit: http://www.nyu.edu/it/mfa
  • Protect your devices with antivirus software – which will protect you from known viruses, spyware and malware.
    • NYU supported antivirus and malware protection software (for Windows or Mac) is available to all NYU degree seeking students, faculty, staff, and all NYUHome-eligible consultants for use on their personal and NYU-owned devices that connect to NYU-NET. Please see the Symantec Endpoint Protection access and eligibility KBase article for more information.
  • Be savvy about WiFi usage
    • Refrain from online shopping, performing financial transactions or accessing any of your online accounts on public WiFi even if it’s password protected. Although your local coffee shop may offer password protected WiFi, a hacker could be among the patrons and may be spying on all network activity and stealing credentials and other sensitive information.
    • If you must use public WiFi, connect to a virtual private network (“VPN”) first. For more information on NYU VPN, please visit: http://www.nyu.edu/it/vpn
    • To prevent your device from auto-connecting to open networks and to prevent other devices from connecting to your device(s), turn off WiFi and Bluetooth when not in use, or with respect to WiFi, make sure that you’ve set your device to ask you before it joins open networks.
  • Refrain from using public computers to access any of your accounts or sensitive information  – these computers may be infected with spyware or keystroke loggers.  
    • If you must use a public computer to access personal accounts/sensitive information, it is recommended that you change your password for all accounts you’ve accessed using a trusted device asap.
  • Phishing alert! Analyze email deals and always visit sites of interest by searching for sites or by typing URLs into your browser’s address bar – remember that it is not advisable to visit sites via embedded links in email messages. These embedded links may lead you to a forged login prompt where your credentials are stolen once you’ve entered them and the redirect may be to a spoofed website.
  • Shop on reputable websites – buy from known and trusted sellers.  Look for the green padlock icon image of green padlock iconin your browser’s address bar followed by “https://” before entering your payment information.  Remember, if an offered deal sounds too good to be true, it most likely is! Please also be aware that customer testimonials are not proof of the legitimacy of a website as testimonials can be forged.
  • Your personal information has value, protect it – be alert to the types of information being sought when completing a transaction and fill out required fields only. If the information is not necessary, don’t supply it.
  • Safeguard your devices against theft and lock your devices when not in use – when on the go, your devices should always be in a secured location or within your reach and screens should be locked when not in use.
  • Be aware of identity theft – closely monitor your financial accounts for transactions you did not make/authorize.
    • For tips on preventing and correcting identity theft, please see the following NYU IT Connect article: Protect Who You Are Online.

FlawedAmmyy Remote Access Trojan (“RAT”) Alert

There has been a recent uptick in phishing emails attempting to deliver the FlawedAmmyy remote access trojan (“RAT”). If successful, this RAT may provide malicious actors with full control of affected systems, including Remote Desktop control, proxy support, audio chat, and file system manager functionalities.

Recent emails in this campaign have a Subject line beginning with “Invoice for” followed by random numbers and the date. Emails have an MS Word attachment titled “Invoice” with random numbers. If a recipient opens the attachment and enables the macro, FlawedAmmyy  is downloaded onto their device.

Please be reminded of the following:

  • Do not to open unexpected attachments, even when attachments appear to come from a known person or entity.  
  • All embedded links in email messages should be evaluated for security before you click them, even when the the email appears to come from a known person or entity.
  • If an embedded link takes you to a login page where you are asked to input your credentials or supply other sensitive/confidential information, it is suggested that you instead visit the website of the business/entity at issue by typing the URL into your browser’s address bar, and log into the legitimate (vs.a potentially spoofed) site.  

For a technical description and removal instructions for FlawedAmmyy, please see: https://www.symantec.com/security-center/writeup-print/2018-092813-5722-99

Resources:

Google+ Vulnerability and Shutdown of Consumer Version

Google recently disclosed that they discovered a vulnerability in their Google+ People API in March of this year, which was patched immediately. This vulnerability:

  • which has been open since 2015, potentially exposed the private data of 500,000+ users to third party developers.
  • disclosed data including user full names, email addresses, dates of birth, gender, profile photos, places lived, occupation and relationship status.
  • cannot be tracked back to specific users as API logs were retained for two weeks.

Google did not report the vulnerability sooner because it did not meet the public disclosure requirements as there was no evidence of data misuse or evidence that developers knew of the vulnerability. Given the challenges associated with creating and maintaining Google+ combined with the low usage of the consumer version, Google has decided to sunset the consumer version of Google+ over a 10 month period (to be completed by the end of next August). Over the coming months, Google states that it will provide consumers with additional information, including ways in which they can download and migrate their data.  

However, Google+ will be retained as an enterprise product, and will be announcing/launching new features for businesses. Please note that nyu.edu accounts are enterprise accounts. Privacy measures which have been implemented include an Account Permissions system that asks third party apps for each requested permission individually vs. at once, giving users more granular control over what data is shared with apps. Further, Google has restricted access to the Gmail API only for apps that directly enhance mail functionality, such as email clients, backup and productivity services.

Resources:

https://www.blog.google/technology/safety-security/project-strobe/
https://thehackernews.com/2018/10/google-plus-shutdown.html

Remote Desktop Protocol (“RDP”) Alert

The Internet Crime Complaint Center (IC3), the FBI and the DHS issued a Public Service Announcement on September 27th, which details increased exploitation of RDP in connection with malicious cyber activities. RDP is a proprietary network protocol developed by Microsoft that allows an individual to gain control of computer resources and data over the Internet. RDP provides total control over a remote machine, and intrusions can be difficult to detect. If not properly secured, RDP can be used to steal confidential/sensitive information, compromise identities, install backdoors or launching points for attacks and infect devices/systems with malware, including ransomware.  

To protect against RDP attacks, the FBI and the DHS offer the following recommendations:

  • Implement/require strong passwords and account lockout policies.
  • Enable multi-factor authentication whenever possible.  For more information on NYU MFA, please see, http://www.nyu.edu/it/mfa.
  • Keep systems and software fully updated/patched.
  • Limit network exposure for all control system devices.

You may also want to review:

Supplemental Resources:

Recent Facebook Breach

On Friday September 28th, Facebook announced a breach that impacted 50 million users. In this breach, malicious actors exploited a series of bugs, including a weakness in Facebook’s “View As” feature which allows users to see how their profile appears to others and malicious actors also stole digital keys which allow users to stay logged onto Facebook. These vulnerabilities allowed attackers to take over user accounts and possibly gain access to apps that users can login to through Facebook, such as Instagram and Spotify. Facebook has temporarily turned off the “View As” function and has otherwise stated that the vulnerabilities have been fixed.  

Facebook further states that impacted users will see a message about the breach on top of their News Feed when they log back in. The FTC has advised users to be on the lookout for and consider the following:

  • Imposter scams in which malicious actors pose as someone you know or a company you do business with. Remember that phone numbers and email addresses can be spoofed and a call or email that appears to be coming from a familiar phone number or person/entity may be coming from a malicious actor. Use discretion and never provide personal or sensitive information to callers even when threats are made or the call has a sense of urgency. When in doubt, phone the person/entity back at a contact phone number you independently obtain to confirm the information you’ve received via phone or email. For more information on phishing and phone scams, please see the following NYU IT Connect articles, Learn to Spot a Phony; Detecting and Avoiding Phone Scams and Phishing, Spear Phishing and Whaling.
  • Consider changing your Facebook password even though Facebook has advised that it is not necessary and change your security questions as well, especially if the answers to your security questions can be found on Facebook. If you used the same password for other accounts (which is not a recommended practice), change these passwords too. For password recommendations and best practices, please see the following NYU IT Connect article, Under Lock and Passphrase.

Resources

NCSAM 2018 (National Cybersecurity Awareness Month)

October is National Cybersecurity Awareness Month (“NCSAM”). The overall theme of NSCAM is that security is everyone’s shared responsibility, and the month of October is dedicated to education about cyber threats, including tips and best practices.    

NYU’s National Cybersecurity Awareness Month 2018 themes are:

  • Learn to Spot a Phony
  • IT Safety & Security at Home
  • Don’t Get Scammed by Short URLs
  • Are you Password Savvy?

Learn More and Earn a Chance to Win a Prize!

Throughout October, visit the Security Awareness website for new information, including short informational videos and quizzes that offer a chance to win movie tickets!

More Information

  • As always, tune into the  IT Security News & Alerts blog for important announcements, and subscribe at the right to receive a copy of each post by email as soon as it’s published.
  • Check out Connect: IT at NYU for information security articles and news.
  • Finally, be on the lookout for NYU IT Facebook and Twitter posts throughout NCSAM for timely and informational tips and reminders.