NYU Wordpress Theme

Recent Phishing Attempt Purporting to be from NYU Google Drive

Please be aware of the following phishing attempt purporting to be from NYU Google Drive:

Screenshot showing message purporting to be a dile sharing message from Google Docs saying [masked name] has invited you to edit the following document "WTE 3 paper" with a clickable link beneath the name.

Although the embedded link contains familiar elements, please be reminded of the following:

  • Hover over embedded links to see (at the bottom left of your screen) where the link will take you if clicked. In this instance, the link is spoofed, and actually goes to: buttersidedownhawaii.com/biz-zipp/googledrivez/page.html
  • If you are not expecting to receive a file share or attachment, please phone the sender to confirm the legitimacy of  the message before opening attachments or clicking any embedded links.

For more information on these types of phishing attempts, please see the following two posts from earlier in the year: Recent Phishing Emails Claiming to be from File Sharing Services and Phishing Attempt Purporting to Originate from Adobe Acrobat Cloud/Adobe Acrobat DC.

Locky/Osiris Ransomware Alert

We have received reports of ransomware that is being distributed via an Excel attachment to an e-mail message. This specific ransomware is a variant of Locky and has been dubbed Osiris as it encrypts files with a .osiris extension. For more information on Locky please click here and here.

Please be on the look-out for an email message which may appear something like the following:

Screenshot showing an example of a ransomware phishing message attaching an invoice, an MS Excel file. The text of the email reads "Please find our invoice attached."

It has been noted that these ransomware e-mails contain Invoice INV[random numbers] in the Subject line of the message, and contain a zip attachment with a name Invoice_INV[random numbers].xls.

If the attachment is opened the user will see a blank spreadsheet and will be prompted to enable macros. If the user enables the macros, ransomware will install via renamed DLL files.

Once activated, Locky will begin scanning the device and any connected devices, systems or file shares for certain file types, and will begin scrambling file names and encrypting them with  .osiris extensions. A ransom note, like the following will appear following the completion of file encryption:

Screenshot of a ransomware message advising that all files have been encrypted with RSA-2048 and AES-128 ciphers. To receive a private decryption key, users are advised to follow a provided link.

If you receive an e-mail like the one shown above, or if you see .osiris files appearing on your device(s) or network shares, you should contact the NYU IT Service Desk immediately at 212.998.3333 or at AskIT@nyu.edu and disconnect your computer from the network. System Administrators who see .osiris files appearing on their network shares should lock these Active Directory users and computer accounts.

The best way to handle this type of ransomware infection is to restore from back-ups following a wipe of the infected device. It is recommended that you check any files synced with with services such as NYU Box, DropBox, or Google Drive prior to restoration to ensure that these files have not been infected. Following restoration from back-ups, please be sure to disconnect back-up devices.

For more information on Locky/Osiris, please see: https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/

Gooligan/Googlian Android Malware steals Google credentials

Researchers at Checkpoint, Inc. have found a family of malware which, when installed on vulnerable Android OS version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) gives the hacker full control of the device. Then it steals Google credentials to give the hackers access to all Google apps. The malware can be downloaded a link in a phishing message or text, or be installed through software downloaded from a third-party site. According to the researchers, more than one million accounts may have been compromised, about 57 percent of devices infected by Gooligan are located in Asia, about 19 percent are in the Americas, about 15 percent are in Africa, and about 9 percent are in Europe.

Google has been actively shutting down compromised accounts as they are found, and has made available instructions for “Verify Apps” https://support.google.com/accounts/answer/2812853?hl=en so that people can check the apps they have and prevent installation of malicious software in the future. There is also a list of known infected apps at the Checkpoint URL listed below in the notes.

Notes:

http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

http://arstechnica.com/security/2016/11/1-million-android-accounts-compromised-by-android-malware-called-gooligan/