NYU Wordpress Theme

Locky Ransomware Alert

Ransomware dubbed “Locky” is spreading via email, in the form of a Word file attached to e-mail messages.  Locky email is translated to various languages and localized by region.  E-mails with this type of ransomware may look something like (*click images to enlarge):  

Screenshot Screenshot showing email dated 2/16/16 with the following text "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice. Let us know if you have any questions. We greatly appreciate your business: Laurel wareing".

Once the Word attachment is opened, users see scrambled content and are asked to enable macros.  When/if macros are enabled, the malware spreads, and encrypts nearly all file formats as hash.locky files including any mounted USB sticks and network file shares.  Once encrypted, users receive the following:

Screenshot showing Locky encryption message. Message stated "All of your files are encrypted with RSA-2048 and AES-128 ciphers." Message provides links to follow to obtain the decryption key and remediation steps, should the links provided not work.

Locky ransomware typically asks victims to pay between 0.5 and 2 Bitcoins ($208 – $800) for the decryption key.
The antivirus software available thru NYU, Symantec Endpoint Protection, may not provide full protection against all variants of this malware.  Google also checks for viruses, and you can see if one has been identified.  If so, the Gmail attachment will have “virus found”,  as in the image below:

Screenshot showing Gmail Anti-virus warning message. Mesage states "1 attachment contains a virus or blocked file. Downloading this attachment is disabled".


Therefore, if you see .locky extension files appearing on your computer, USB drives, or network shares, you should contact the NYU IT Service Desk immediately at 212.998.3333 or at AskIT@nyu.edu and disconnect the computer from the network.  System Administrators who see .locky extension files appearing on their network shares, may look up the file owner on _Locky_recover_instructions.txt file in each folder.  It is recommended that you lock these Active Directory user and computer accounts.

The best way to handle such an infection is to restore back-ups from external hard-drives or USB devices. You must wipe the machines before mounting back-up devices, and it is recommended that you check any files synched with services such as NYU Box, DropBox or Google Drive to ensure that these files have not been infected.



Google Chrome Safe Browsing Technology

Google Chrome is now using Safe Browsing technology to protect browsers from shady websites or deceptive advertising on legitimate sites.  This initiative by Google addresses the threat of social engineering, which could involve:

  • deceptive download buttons
  • an ad on a legitimate website pretending to offer an update
  • a warning claiming the system is out of date
  • a security alert for Chrome and third-party media players
  • an ad posing as a trusted entity, which tries to trick users into sharing credentials
  • buttons that mimic tv shows or sports video stream

all of which may be designed to encourage the installation of bogus software or malware.

The following is a Google Chrome warning message associated with deceptive content:

Screen Shot 2016-02-18 at 12.14.07 PM

For more information, please see:  https://googleonlinesecurity.blogspot.se/2016/02/no-more-deceptive-download-buttons.html

Gmail – New Authentication Features Make it Easier to Identify Email To/From Unsecured Connections

*Please note that these new features are currently available in free Gmail accounts, and are not yet available in Google Apps for Education.

Google has announced new authentication features for Gmail which will make it easier to identify emails that arrive from,  or are being sent to unsecured or unencrypted connections.  Emails arriving from unsecured connections are potentially harmful, and may be phishing attempts or other malicious campaigns designed to capture user data or information.  Emails being sent to unsecured connections are more easily hijacked by third parties.

Gmail on the web now  provides users with a visual alert (a lock symbol) when users send/receive email to/from unsecured connections, as follows:

Screenshot showing an authored Gmail mail message with an unlocked red padlock to the right of the recipient's name/address.

Clicking the lock symbol will display additional information, e.g.,

Screenshot of the message that displays when the open lock symbol is clicked.  Text saying "Some recipients use services that don't support encryption" and further stating "If your message is sensitive, consider removing these addresses or deleting any confidential information." There is a link to "Learn more" and an "OK" button.

If you see the red lock symbol when composing a message, do not send sensitive information.

Additionally, a sender’s profile picture is replaced by a question mark when Gmail is unable to authenticate the sender.

Screenshot showing an authenticated and unauthenticated message Gmail message heading.  The Authenticated message either contains a profile icon or a profile picture and the unauthenticated message contains a red question mark in place of the profile picture/image.

If you receive an unauthenticated message, it may be forged.   Before replying, or clicking any embedded links, or opening any associated attachments, please confirm message authenticity by contacting the sender directly.

For more information, please see: https://support.google.com/mail/answer/6330403?p=tls&hl=en&rd=1


Dell Security Phishing Self Assessment

The following is a Dell Security phishing self assessment tool which will allow you to test, and hopefully refine your phishing detection skills and knowledge.

Once you click the link below, you will be presented with ten sample e-mails in succession.  You will have the opportunity to  mark each as “Legitimate’ or “Phishing”.  Upon completion, you will see your score, and will be able to view the rationale behind why each email was considered legitimate or phishing.

Please feel free to share this link!