NYU Wordpress Theme

Dropbox Themed Phishing Campaign

Please be advised of a widely spreading Dropbox themed phishing campaign, the goal of which is to steal credentials. The subject line of these spam messages references a purchase order number, an invoice, or simply requests that recipients open an attachment.

Screenshot of an example phishing message attaching a PDF file entitled "PO#78547", with the text of the email message reading "Find Attached invoice.  Thanks, Billing Department".

 

Once the attachment is opened, users may receive the following:

Screenshot showing the Dropbox logo and a message stating "Your system firewall rules have stored files online" followed by a link "SHOW RECEIVED DOC HERE"

 

Users who click on the embedded link are redirected to a compromised site which hosts a credential phishing kit.

  • Please note that the URL displaying in the browser’s address bar may be shortened via bit.ly to hide the actual URL of the compromised site. To preview the destination of a Bitly.com URL, add a plus symbol to the end of a shortened link. For example, you can preview the destination of bit.ly/1bhjUN8 with bit.ly/1bhjUN8+ and be directed to a preview page on Bit.ly com with information about the shortened link.

Users are then prompted to select a verification type, and enter a username/password. In some cases, an account recovery phone number and email address are also requested.

Screenshot displaying a logo for "Dropbox Business" stating "Verification Required" and requesting the selection of your email provider and a login.  The list of providers includes Gmail, Outlook, Other, Office 365, AOL and Yahoo.

 

After the requested information is entered and credentials are captured, users are redirected to the legitimate Dropbox page.

 

MS Word Critical Flaw to be Addressed Today Via Patch Tuesday

Please be advised that Microsoft plans to release an update for a critical Word flaw today, as part of Patch Tuesday. It is recommended that this patch is applied as soon as it becomes available. This vulnerability allows the installation of malware, in this case a banking trojan dubbed Dridex, when a target/user opens a maliciously-crafted MS Word email attachment. This vulnerability is known to affect all Windows versions of Word. The exploit has not been proven or disproven to work on Mac versions of Word.

Dridex infused Word documents typically arrive as Rich Text Format (RTF) attachments to emails purporting to be from from  “device”, “copier” “documents”, “no-reply” or “scanner”. In all known cases, the subject line of the emails reads “Scan Data”. Opening the  documents attached to these emails will install a Dridex bot on your system that is known to capture banking information. It has been observed that this exploit does not execute when the document is viewed in a Microsoft view known as “Protected View”, which is a read-only mode in which most editing functions are disabled. However, if you opt to print the document or “Enable Editing” in Protected View, the exploit will run.

Screenshot showing the Enable Editing button in the Protected View of MS Word. This button appears at the top right of the Word screen in a yellow bar.

A sample Dridex email is shown below:

Screenshot of an email message with a subject of "Scan Data". Appears to attach a MS Word document entitled "Scan" with a file size of 37 KB. The body of the messages states "Number of pages: 3" and incorrectly states the attachment type as PDF.

For more information, please see:

https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

VPN Scams

New legislation allowing ISPs (Internet Service Providers) to sell browsing history has contributed to a rise in VPN (Virtual Private Network) scams as VPN is an option which affords users the ability to retain their online privacy.

For example, current and former Plex and Boxee users may receive the following VPN scam messages:

Screenshot of scam message entitled "Plex reveals new VPN buisness www.MySafeVPN.com" and continues with the following "Plex has been used a media platform for a long time now with users mainly accessing content they've got saved on a local media server.  However, with the recent change in US privacy bills, UK privacy laws and more, it is now more difficult to fill these media servers with the content that users want to enjoy. Plex media server has now released a new service called www.MySafeVPN.com. This service will help users stay anonymous on the internet so they can download what they want, view what they want, browse where they want, without anyone looking over their shoulder. Internet access and media access can both now be completely anonymous using the new Plex VPN service which can be purchased at MySafeVPN.com."

Screenshot of VPN scam message entitled "Boxee is now back as MySafeVPN.com" and stating "The creators of Boxee are now back online as a safe and secure VPN service known as MySafevPN.com. With the changes in privacy laws, and the prevention methods being used by the UK government to block streaming and various websites, Boxee felt that it needed to return and provide its supporters with something amazing. Today marks the launch of www.MySafeVPN.com."

Please be reminded that NYU offers VPN service to NYU community members as a secure way in which to access NYU-Net from many remote locations.  Use of NYU VPN is required when remotely accessing certain services.  For a list of services which require VPN when accessed from off campus, please see: http://www.nyu.edu/servicelink/041202319365928. For more information on NYU VPN, please click here.

For more information on VPN scams, please see: https://motherboard.vice.com/en_us/article/phony-vpn-services-are-cashing-in-on-americas-war-on-privacy.