A new type of imposter scam using Facebook’s Sharer dialog, has been detected. Facebook’s Sharer dialog is typically used by website owners to share content on Facebook. This scam tricks users into thinking there is a problem with their account and that they need to call one of the provided phone numbers to resolve it. If one of the provided numbers is phoned, an imposter posing as Facebook Support may ask to take over your computer to address the problem. The scammer may attempt to install malware or to sell you unnecessary or malicious software and may also steal your payment information in the process.
The following is an example of the spoofed “Share on Facebook” dialog with the phony warning message (please note the grammar errors in this message which are a tell-tale sign of phishing!):
Image courtesy of Bleeping Computer
Please be advised that there are no Tech Support phone numbers for Facebook. If you have called a purported Facebook Tech Support phone number, it is recommended that you change your Facebook password asap and enable two-factor authentication on your Facebook account. Additionally, if you have provided access to your computer or installed any provided software, scan your computer using antivirus malware protection software, and delete anything identified as a problem and restart your computer at the conclusion of the process. For information on NYU provided antivirus software, please see the following KBase article, Symantec Endpoint Protection access and eligibility.
Imposter scams take various forms, but what they all have in common is that a scammer poses as someone you know and attempts to obtain personal or sensitive information from you. Scammers may pose as someone you know personally or someone in a shared group or organization, such as your place of employment, or someone from a known and trusted organization such as your bank or the IRS. To learn more about different types of imposter scams, please visit www.ftc.gov/imposters, which is an FTC web page containing videos and other resources detailing many common imposter scams.
Accordingly, University employees may receive forged communications purporting to come from an NYU executive or higher up seeking access to resources or sensitive information. These types of communications may arrive via email, text, social media or a phone call. Please be mindful that phone numbers and email addresses may be spoofed, so a communication may appear to be legitimate when it’s not. You may wonder how a scammer would know to target you for certain types of information and what security recommendations can be offered for requests you may receive – please read on!
Social engineers review and harvest information from social media and public facing websites to use in targeted attacks. This is why it’s always advisable to limit what you post online about yourself, others and your employer. It is also always advisable to call the requester at a trusted phone number, such as their NYU Directory phone number, to confirm the request received.
Please take note of the following additional recommendations:
- Take the time needed to examine all requests received and do not let a sense of urgency, which may accompany a request, speed your review.
- Be on the lookout for anything unfamiliar, such as a salutation, closing, or language that the requester world not use.
- Be wary of requests which ask you to bypass established processes/procedures.
- Scammers may spoof an email address or use an email address that is similar to the sender’s email address. With spoofed email addresses, the address looks correct, but another email address displays when you hover over it.
- Scammers may also use an email address that does not exist. For example, HR@nyu.edu is not an actual NYU email address.
- Be suspicious of any request for information or access to resources that purports to be from an NYU executive or higher up that is received via social media.
- Report imposter scams to email@example.com.
- Please see the following KBase article for tips on identifying phishing generally: Recognizing phishing scams and protecting yourself online.
Please be advised that gift card scams are on the rise. In these types of scams social engineers commonly pose as a trusted contact – an executive, a faculty member, the president of an institution or organization . . . etc., and request that you purchase gift cards in connection with a fundraiser, charity or organizational event and provide them with the redemption codes found on the back of gift cards. Once a victim supplies the redemption code, the value of the card is stolen and card use cannot be traced.
Reported scam details include:
- This type of scam may occur via email, text message, social media contact or phone call.
- The malicious actors may state that they are too busy to purchase the requested gifts cards and ask for your assistance in doing so or they may pose as person you know, who is in urgent need of some type assistance via a gift card.
- Scammers are requesting gift cards from a variety of merchants including iTunes, Google Play, Amazon, Target, Walgreens and Walmart.
- Closely scrutinize all messages asking you to make a purchase or disclose sensitive information. For tips on recognizing phishing scams and evaluating email messages you receive, please see the following NYU IT Connect article, Phishing, Spear Phishing and Whaling and the following KBase article, Recognizing phishing scams and protecting yourself online.
- If you receive a message/call asking you to make a gift card purchase, or asking that you disclose sensitive/confidential information, verify with the requestor via trusted means of contact, such as a known phone number. Do not use a phone number provided as part of the request.
- If you fall victim to a gift card scam, the FTC advises that you report it to the merchant and to the FTC at ftc.gov/complaint.
A cross-site scripting (XXS) vulnerability has been discovered in version 6.15 of Evernote for Windows. This vulnerability can be leveraged to run programs remotely on a victim’s computer. Specifically, a malicious actor could embed a link that loads malicious script in the file name of an image inside of a note, and send it to a victim. If viewed in presentation mode, the NodeWebKit will automatically execute the code, allowing it to open system programs and files.
Evernote has patched this vulnerability in its 6.16.1 beta update. It is recommended that Evernote for Windows users apply this update asap.
Users and Admins of Apache Struts 2.3.36 and prior versions are advised to immediately upgrade to 1.3.3, which is the latest version of the Commons FileUpload Library. This upgrade address a remote code execution vulnerability. Please note that versions 2.5.12 and subsequent versions are not impacted. For more information, please see the following Apache security advisory.
The holiday season is the ideal time for cybercriminals to take advantage of unsuspecting or inattentive online shoppers. Protect your purchases, your sensitive information, your devices and the the data stored thereon by making sure these precautions are part of your online shopping habits:
- Regularly patch/update all of your devices – this is a general best practice – all internet connected devices, including IoT devices, should be regularly patched and updated. Patches address known vulnerabilities which malicious actors seek to exploit.
- Strengthen your logins – fortify your online accounts whenever possible with the strongest authentication available, whether it’s multi-factor authentication (“MFA”) which involves authentication with a device and an application or code, or biometric authentication which may involve the use of a fingerprint or facial recognition software.
For more information on NYU MFA, please visit: http://www.nyu.edu/it/mfa
- Protect your devices with antivirus software – which will protect you from known viruses, spyware and malware.
- NYU supported antivirus and malware protection software (for Windows or Mac) is available to all NYU degree seeking students, faculty, staff, and all NYUHome-eligible consultants for use on their personal and NYU-owned devices that connect to NYU-NET. Please see the Symantec Endpoint Protection access and eligibility KBase article for more information.
- Be savvy about WiFi usage
- Refrain from online shopping, performing financial transactions or accessing any of your online accounts on public WiFi even if it’s password protected. Although your local coffee shop may offer password protected WiFi, a hacker could be among the patrons and may be spying on all network activity and stealing credentials and other sensitive information.
- If you must use public WiFi, connect to a virtual private network (“VPN”) first. For more information on NYU VPN, please visit: http://www.nyu.edu/it/vpn
- To prevent your device from auto-connecting to open networks and to prevent other devices from connecting to your device(s), turn off WiFi and Bluetooth when not in use, or with respect to WiFi, make sure that you’ve set your device to ask you before it joins open networks.
- Refrain from using public computers to access any of your accounts or sensitive information – these computers may be infected with spyware or keystroke loggers.
- If you must use a public computer to access personal accounts/sensitive information, it is recommended that you change your password for all accounts you’ve accessed using a trusted device asap.
- Phishing alert! Analyze email deals and always visit sites of interest by searching for sites or by typing URLs into your browser’s address bar – remember that it is not advisable to visit sites via embedded links in email messages. These embedded links may lead you to a forged login prompt where your credentials are stolen once you’ve entered them and the redirect may be to a spoofed website.
- Shop on reputable websites – buy from known and trusted sellers. Look for the green padlock icon in your browser’s address bar followed by “https://” before entering your payment information. Remember, if an offered deal sounds too good to be true, it most likely is! Please also be aware that customer testimonials are not proof of the legitimacy of a website as testimonials can be forged.
- Your personal information has value, protect it – be alert to the types of information being sought when completing a transaction and fill out required fields only. If the information is not necessary, don’t supply it.
- Safeguard your devices against theft and lock your devices when not in use – when on the go, your devices should always be in a secured location or within your reach and screens should be locked when not in use.
- Be aware of identity theft – closely monitor your financial accounts for transactions you did not make/authorize.
- For tips on preventing and correcting identity theft, please see the following NYU IT Connect article: Protect Who You Are Online.