Please be advised of a widely spreading Dropbox themed phishing campaign, the goal of which is to steal credentials. The subject line of these spam messages references a purchase order number, an invoice, or simply requests that recipients open an attachment.
Once the attachment is opened, users may receive the following:
Users who click on the embedded link are redirected to a compromised site which hosts a credential phishing kit.
Please note that the URL displaying in the browser’s address bar may be shortened via bit.ly to hide the actual URL of the compromised site. To preview the destination of a Bitly.com URL, add a plus symbol to the end of a shortened link. For example, you can preview the destination of bit.ly/1bhjUN8 with bit.ly/1bhjUN8+ and be directed to a preview page on Bit.ly com with information about the shortened link.
Users are then prompted to select a verification type, and enter a username/password. In some cases, an account recovery phone number and email address are also requested.
After the requested information is entered and credentials are captured, users are redirected to the legitimate Dropbox page.
Please be advised that Microsoft plans to release an update for a critical Word flaw today, as part of Patch Tuesday. It is recommended that this patch is applied as soon as it becomes available. This vulnerability allows the installation of malware, in this case a banking trojan dubbed Dridex, when a target/user opens a maliciously-crafted MS Word email attachment. This vulnerability is known to affect all Windows versions of Word. The exploit has not been proven or disproven to work on Mac versions of Word.
Dridex infused Word documents typically arrive as Rich Text Format (RTF) attachments to emails purporting to be from from “device”, “copier” “documents”, “no-reply” or “scanner”. In all known cases, the subject line of the emails reads “Scan Data”. Opening the documents attached to these emails will install a Dridex bot on your system that is known to capture banking information. It has been observed that this exploit does not execute when the document is viewed in a Microsoft view known as “Protected View”, which is a read-only mode in which most editing functions are disabled. However, if you opt to print the document or “Enable Editing” in Protected View, the exploit will run.
New legislation allowing ISPs (Internet Service Providers) to sell browsing history has contributed to a rise in VPN (Virtual Private Network) scams as VPN is an option which affords users the ability to retain their online privacy.
For example, current and former Plex and Boxee users may receive the following VPN scam messages:
Please be reminded that NYU offers VPN service to NYU community members as a secure way in which to access NYU-Net from many remote locations. Use of NYU VPN is required when remotely accessing certain services. For a list of services which require VPN when accessed from off campus, please see: http://www.nyu.edu/servicelink/041202319365928. For more information on NYU VPN, please click here.
For tips on how to protect your mobile devices and data stored thereon, watch this 3 minute and 7 second video from SANS on mobile device security awareness. This video will be available throughout the month of April.