There has been a recent uptick in phishing emails attempting to deliver the FlawedAmmyy remote access trojan (“RAT”). If successful, this RAT may provide malicious actors with full control of affected systems, including Remote Desktop control, proxy support, audio chat, and file system manager functionalities.
Recent emails in this campaign have a Subject line beginning with “Invoice for” followed by random numbers and the date. Emails have an MS Word attachment titled “Invoice” with random numbers. If a recipient opens the attachment and enables the macro, FlawedAmmyy is downloaded onto their device.
Please be reminded of the following:
- Do not to open unexpected attachments, even when attachments appear to come from a known person or entity.
- All embedded links in email messages should be evaluated for security before you click them, even when the the email appears to come from a known person or entity.
- If an embedded link takes you to a login page where you are asked to input your credentials or supply other sensitive/confidential information, it is suggested that you instead visit the website of the business/entity at issue by typing the URL into your browser’s address bar, and log into the legitimate (vs.a potentially spoofed) site.
For a technical description and removal instructions for FlawedAmmyy, please see: https://www.symantec.com/security-center/writeup-print/2018-092813-5722-99
Google recently disclosed that they discovered a vulnerability in their Google+ People API in March of this year, which was patched immediately. This vulnerability:
- which has been open since 2015, potentially exposed the private data of 500,000+ users to third party developers.
- disclosed data including user full names, email addresses, dates of birth, gender, profile photos, places lived, occupation and relationship status.
- cannot be tracked back to specific users as API logs were retained for two weeks.
Google did not report the vulnerability sooner because it did not meet the public disclosure requirements as there was no evidence of data misuse or evidence that developers knew of the vulnerability. Given the challenges associated with creating and maintaining Google+ combined with the low usage of the consumer version, Google has decided to sunset the consumer version of Google+ over a 10 month period (to be completed by the end of next August). Over the coming months, Google states that it will provide consumers with additional information, including ways in which they can download and migrate their data.
However, Google+ will be retained as an enterprise product, and will be announcing/launching new features for businesses. Please note that nyu.edu accounts are enterprise accounts. Privacy measures which have been implemented include an Account Permissions system that asks third party apps for each requested permission individually vs. at once, giving users more granular control over what data is shared with apps. Further, Google has restricted access to the Gmail API only for apps that directly enhance mail functionality, such as email clients, backup and productivity services.
The Internet Crime Complaint Center (IC3), the FBI and the DHS issued a Public Service Announcement on September 27th, which details increased exploitation of RDP in connection with malicious cyber activities. RDP is a proprietary network protocol developed by Microsoft that allows an individual to gain control of computer resources and data over the Internet. RDP provides total control over a remote machine, and intrusions can be difficult to detect. If not properly secured, RDP can be used to steal confidential/sensitive information, compromise identities, install backdoors or launching points for attacks and infect devices/systems with malware, including ransomware.
To protect against RDP attacks, the FBI and the DHS offer the following recommendations:
- Implement/require strong passwords and account lockout policies.
- Enable multi-factor authentication whenever possible. For more information on NYU MFA, please see, http://www.nyu.edu/it/mfa.
- Keep systems and software fully updated/patched.
- Limit network exposure for all control system devices.
You may also want to review:
On Friday September 28th, Facebook announced a breach that impacted 50 million users. In this breach, malicious actors exploited a series of bugs, including a weakness in Facebook’s “View As” feature which allows users to see how their profile appears to others and malicious actors also stole digital keys which allow users to stay logged onto Facebook. These vulnerabilities allowed attackers to take over user accounts and possibly gain access to apps that users can login to through Facebook, such as Instagram and Spotify. Facebook has temporarily turned off the “View As” function and has otherwise stated that the vulnerabilities have been fixed.
Facebook further states that impacted users will see a message about the breach on top of their News Feed when they log back in. The FTC has advised users to be on the lookout for and consider the following:
- Imposter scams in which malicious actors pose as someone you know or a company you do business with. Remember that phone numbers and email addresses can be spoofed and a call or email that appears to be coming from a familiar phone number or person/entity may be coming from a malicious actor. Use discretion and never provide personal or sensitive information to callers even when threats are made or the call has a sense of urgency. When in doubt, phone the person/entity back at a contact phone number you independently obtain to confirm the information you’ve received via phone or email. For more information on phishing and phone scams, please see the following NYU IT Connect articles, Learn to Spot a Phony; Detecting and Avoiding Phone Scams and Phishing, Spear Phishing and Whaling.
- Consider changing your Facebook password even though Facebook has advised that it is not necessary and change your security questions as well, especially if the answers to your security questions can be found on Facebook. If you used the same password for other accounts (which is not a recommended practice), change these passwords too. For password recommendations and best practices, please see the following NYU IT Connect article, Under Lock and Passphrase.
October is National Cybersecurity Awareness Month (“NCSAM”). The overall theme of NSCAM is that security is everyone’s shared responsibility, and the month of October is dedicated to education about cyber threats, including tips and best practices.
NYU’s National Cybersecurity Awareness Month 2018 themes are:
- Learn to Spot a Phony
- IT Safety & Security at Home
- Don’t Get Scammed by Short URLs
- Are you Password Savvy?
Learn More and Earn a Chance to Win a Prize!
Throughout October, visit the Security Awareness website for new information, including short informational videos and quizzes that offer a chance to win movie tickets!
- As always, tune into the IT Security News & Alerts blog for important announcements, and subscribe at the right to receive a copy of each post by email as soon as it’s published.
- Check out Connect: IT at NYU for information security articles and news.
- Finally, be on the lookout for NYU IT Facebook and Twitter posts throughout NCSAM for timely and informational tips and reminders.
As an update to our September 24th post entitled Free Credit Freezes and Year-Long Fraud Alerts Now Available, please note that Equifax and TransUnion have abandoned the use of PINS in connection with the online unfreezing of frozen credit files. However, if you are seeking to unfreeze your credit file via phone, a PIN is still required.
When unfreezing online via Equifax, consumers must now create a “my Equifax” account. Account activation is protected by extra security measures, such as a one time code to your mobile phone. Consumers without a mobile phone will have to answer additional security questions. TransUnion already requires consumers to have an account with their name, password and PIN. Using these credentials online, consumers will be able to lift a freeze. Experian will continue to require a PIN in connection with the lifting of freezes.
For additional information, please see: https://www.nytimes.com/2018/09/28/your-money/frozen-credit-files-tips-unfreezing.html