NYU IT Security News and Alerts

NYU IT Security News and Alerts

Gift Card Scam Alert/Update

Please be advised that the Office of information Security (“OIS”) has seen a recent uptick in imposter scams. As an update our posts on imposter scams and gift card scams (which are a type of imposter scam), please be on the alert and note the following 3 recent examples of these types of scams:  

Example #1

Screenshot of a phishing email requesting the urgent purchase of two $100 Amazon gift cards. Requests the gift card redemption numbers in the form of a photo of that information as it displays on the cards.

 

  • This message purports to come from an NYU executive and uses a sense of urgency, which is a common phishing ploy, to impel the recipient to action.

Example #2

Screenshot of a phishing email message requesting urgent assistance in obtaining iTunes gift cards

 

Example #3

Screenshot of phishing email with a subject of "Urgent" and stating "There is something I need you to do now" and further stating "You can only talk to me through Email".

Please Note: 

  • Both examples #2 and #3 purport to come NYU email addresses, and the sender’s email address in both examples contains familiar elements, nyu.edu@gmail.com and nyu.edu@outlook.com. NYU email will always be in the following format: [name/alias/or NYU NetID]@nyu.edu.  
  • Both examples #2 and #3 also use a sense of urgency to impel the recipient to action.
  • Although text in Example #3 states “You can only talk to me through Email”, please be reminded that it is a recommended best practice to confirm urgent or sensitive email requests via a trusted means of communication, such as a phone call to a trusted phone number, such as an NYU Directory phone number.

New Electronic Data and System Risk Classification Policy

Please note that NYU IT has replaced two data-centric policies (Data Classification Table and Reference for Data and System Classification) with the new Electronic Data and System Risk Classification Policy, which incorporates necessary General Data Protection Regulation (“GDPR”) data-centric information. Please consult this policy for information on how NYU classifies information assets into risk based categories and security precautions that must be taken to protect these assets from unauthorized access. It is recommended that this policy be read in conjunction with the Data and System Security Measures policy, which details specific security measures that apply to each data and system classification.

Marriott Breach Update

As an update to our 12/05/18 post on the Marriott breach, please be advised that Marriott has provided an update on this security incident, which details the number of guests, passport numbers and payment cards impacted by the breach as well as guest monitoring/support resources. Marriott states that they will be  putting a mechanism in place whereby designated call center reps will be able to refer guests to appropriate resources to check if their individual passport numbers were among the unencrypted passport numbers that were exposed. Marriott will update its designated website for this incident (https://info.starwoodhotels.com) once this mechanism is in place.

Windows & Windows Server Vulnerabilities – update asap

The US-CERT (United States Computer Emergency Readiness Team) has issued an advisory respecting two vulnerabilities found in Microsoft Windows and Windows Server. Successful exploitation of either vulnerability could allow a remote actor to take control of an affected system. Microsoft has patched both of these vulnerabilities via the January Patch Tuesday update and it is recommended that users/admins apply the most recent update asap. CVE-2018-8611 is a Windows Kernel Elevation of Privilege Vulnerability impacting supported Windows client and server versions.  CVE-2018-8626 is a Windows DNS Server Heap Overflow Vulnerability affecting Windows servers configured as DNS servers.

Netflix Phishing Scam

Please be advised of a Netflix phishing scam warning that “Your account is on hold” and asking you to update your payment information via an embedded  “Update Account Now” link. The following is a sample of this phishing message.

Screenshot of a Netflix phishing message with banner text stating "Please update your payment details"

Please be reminded:

  • that an email from a familiar company requesting credential input or an update of payment/account information via an embedded link is a common scam tactic designed to steal your sensitive information.
  • to be suspicious of unexpected links and attachments in email, text messages and social media messaging. Always be sure that you are visiting a legitimate (vs. spoofed) website by typing a site URL directly into your browser’s address bar.
  • to scan messages for expected tone/language and grammar usage. For example, the message above employs a salutation of “Hi Dear”, which is not a salutation Netflix would use and suggests that if you need help, you should visit the Help Centre (vs. Center).  
  • that @nyu.edu email accounts are protected by URL Defense, which automatically rewrites URLS in all incoming external email message and protects you at the time you click a link by blocking malicious sites. Please see URL Defense FAQs for more information.

If you were a victim of this scam, it is recommended that you:

  • contact the financial institution associated with the payment information you entered as this information has been compromised.
  • change your Netflix password. If you use the same password on other accounts (not a recommended practice) change these passwords as well.
  • report it to: phishing@netflix.com and the FTC at spam@uce.gov.

Resources:

Make Your Holidays Happy With IoT Device Security

The internet of things (IoT) has introduced many smart devices with features that make our lives considerably more convenient by applying connectivity to everyday tasks. However, these conveniences also introduce both security and privacy concerns that need to be proactively addressed such as data and credential theft, spying and manipulation via device settings/functions. The following are best practices you can use to address the security concerns presented by IoT devices:

  • Immediately change default credentials. Malicious actors know or can easily obtain the manufacturer’s default credentials. 
  • Enable MFA (multi-factor authentication) on all devices which support it as MFA will further protect your devices if your credentials are compromised or stolen.
  • Review device default privacy and security settings – these settings are chosen by manufacturers, make sure they work for you and reset as/if necessary.
  • Disable features you don’t plan to use – doing so minimizes the device’s attack surface or potential for manipulation.
  • Keep device firmware up-to-date – apply updates/patches promptly as malicious actors seek to exploit known vulnerabilities which are addressed by patches.
  • Do not connect IoT devices to untrusted networks such as public WiFi networks – malicious actors may target devices connecting to these networks.
  • Secure your home WiFi network.
    • Use long and unique passwords for each device. For password tips please see the following Connect article, Under Lock and Passphrase.
    • Set up a firewall at your router to act as a barrier between your devices and possible threat actors.
    • Consider disabling SSID broadcasting. This prevents automatic transmission of your network name or SSID into the open air. If disabled, users will have to know your network name to connect to it. For more information, please see the following article from Lifewire: Disable SSID Broadcast to Hide Your Wi-Fi Network.

Additionally, for tips on router security, see the following NYU IT Security News & Alerts blog post: Home WiFi Router Security: What You Should Know.

Happy Holidays!

Decorative screenshot showing candy canes, small gold pine cones, small gifts in gold wrapping paper with red ribbon and holiday garland

 

iPhone touch-to-pay feature alert

Two fitness apps, “Fitness Balance” and “Calorie Tracker” were recently found to be charging users without their consent and have been removed from the App Store. These apps had phony positive reviews in the App Store and were displaying pop-ups which prompted users to scan their fingerprint to unlock features. However doing so would result in an automatic charge to the user’s credit card, ranging from $99-139. iPhone X users who had double click to pay enabled were protected against the charge.

Recommendations:

It is recommended that iPhone X users enable “Double Click to Pay” and that all other iPhone users disable Touch ID for payments via Settings, Touch Id & Passcode, and disable “User touch ID for iTunes & App Store”. Victims of this scam can submit a report to Apple.

Resource:

https://www.welivesecurity.com/2018/12/03/scam-ios-apps-promise-fitness-steal-money-instead/

Marriott Breach

Marriott has announced a breach of their Starwood reservation database which has exposed the personal information of 500 million people. Starwood hotels include: W Hotels, St. Regis, Sheraton Hotels and Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. This breach impacts anyone who made a reservation between 2014 and September 18, 2018.  

Marriott has confirmed that hackers were able to access names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender information, Starwood loyalty program account information as well as reservation information. Credit card numbers and expiration dates were potentially exposed. Marriott has set up a website (https://answers.kroll.com) containing incident information, resources, FAQs, and customer next steps, including free WebWatcher enrollment. WebWatcher monitors monitors sites where personal information is shared and notifies consumers if their personal information is found on these sites. U.S. guests who enroll in WebWatcher will also receive free fraud consultation services and reimbursement coverage.

As phishing attempts related to this breach will likely arise, Marriott states that emails to customers concerning this breach will not have attachments or requests for information. The FTC advises that the safest way to access breach information is via the Marriott website: https://answers.kroll.com.

Recommendations:

For those who have made a reservation at a Starwood hotel during the period impacted by the breach (2014- September 18, 2018):  

  • Monitor your financial accounts to ensure there are no unauthorized transactions. Many credit card providers offer a service whereby you can request notification (by text or email) of charges that exceed a certain amount.  
  • Change your Marriott/Starwood account password even if your account has not been reported as compromised. This is a simple step which may protect you from possible negative impacts.
  • Place a fraud alert on your credit files. Fraud alerts warn creditors that you may be a victim of identity theft and that they should verify that anyone seeking credit is really you.
  • Consider a credit freeze so that identity thieves will be unable to open new lines of credit.

Resource:

Phishing Sites Now Using Green Padlock Symbols

Screenshot showing a truncated view of an internet browser address bar, with a green padlock symbol followed by https and www

Social engineers continue to get more sophisticated in their attempts to trick you. A current example is that the green padlock symbol, a recognizable element of site safety, that’s visible in your browser’s address bar, is now being used in many phishing sites. The green padlock symbol denotes that the data exchanged between the browser and website is encrypted with SSL (Secure Sockets Layer) technology and cannot be read by third parties. Further, the “https” which follows the green padlock in your browser’s address bar means a site has a valid SSL certificate. Phishers are now adopting SSL, registering domain names and creating certificates for their websites. Hence, the green padlock security indicator can no longer be solely relied upon to determine a website’s safety or security.

Recommendations:

  • Experts suggest that users look for inconsistencies in a site’s URL and webpage.
  • It is a recommended best practice to visit a site by typing the URL into your browser’s address bar or locating a site via an internet search.
  • It is not advisable to visit sites via embedded links in email messages as this is a commonly used method for directing victims to spoofed sites.  

Resources:

New Facebook Tech Support Scam

A new type of imposter scam using Facebook’s Sharer dialog, has been detected. Facebook’s Sharer dialog is typically used by website owners to share content on Facebook. This scam tricks users into thinking there is a problem with their account and that they need to call one of the provided phone numbers to resolve it. If one of the provided numbers is phoned, an imposter posing as Facebook Support may ask to take over your computer to address the problem. The scammer may attempt to install malware or to sell you unnecessary or malicious software and may also steal your payment information in the process.

The following is an example of the spoofed “Share on Facebook” dialog with the phony warning message (please note the grammar errors in this message which are a tell-tale sign of phishing!):

Screenshot of Facebook "Warning!" message saying "We've registered a suspicious activity on your page. You're account could be hacked. Please call Facebook support team to restore access to your account." Two telephone numbers are provided followed by the following note "If you visit distrustful sites, you can lose your personal data including passwords, payment details, etc." Signed "FBSUPPORTPRO Facebook Support Team, Account Safety Warning!"

Image courtesy of Bleeping Computer

Please be advised that there are no Tech Support phone numbers for Facebook. If you have called a purported Facebook Tech Support phone number, it is recommended that you change your Facebook password asap and enable two-factor authentication on your Facebook account. Additionally, if you have provided access to your computer or installed any provided software, scan your computer using antivirus malware protection software, and delete anything identified as a problem and restart your computer at the conclusion of the process.  For information on NYU provided antivirus software, please see the following KBase article, Symantec Endpoint Protection access and eligibility.

Resource:

https://www.bleepingcomputer.com/news/security/scammers-use-facebook-sharer-page-to-push-tech-support-scams/