NYU Wordpress Theme

Direct Deposit Scams

NYU has seen several recent scams that involve obtaining an employee’s NetID and password, which are then used by the scammer to alter the employee’s Direct Deposit information, resulting in the employee’s paychecks being re-directed to the scammers’ bank accounts. We want you to be aware of these scams, what we are doing to protect your Direct Deposit, and what you should do to protect yourself.

These scams usually occur as a result of:

  • A “phishing” email that sends the recipient to a website to “update” their Direct Deposit information, or
  • A compromised account, where the scammer obtains the employee’s NetID and password, signs on and changes the Direct Deposit instructions.

This can then result in funds going to the scammer’s bank account instead of the employee’s bank account.

NYU Payroll has a process in place for detecting Direct Deposit changes; when changes are made to an employee’s Direct Deposit instructions, Payroll sends a confirmation email and asks employees to notify Payroll if anything is amiss. Please pay attention to any email of this sort from NYU Payroll, and if you have not authorized a change to your Direct Deposit, follow-up by contacting PeopleLink (AskPeopleLink@nyu.edu or 212-992-5465) immediately.

In the event of any unauthorized attempt to change your Direct Deposit, it is very important that you promptly change your NYU NetID password to ensure the integrity of your account. This Knowledge Base article describes how to change your password. Should you have any questions or trouble, please contact the IT Service Desk, open 24×7.

Do not fall victim to phishing attempts:

  • Keep your eyes open for any email requesting that you “confirm” your sign-on credentials or threatening immediate account closure.
  • Remember that NYU IT/HR/Payroll personnel will never send you an email asking for your NYU NetID password. If you receive email that you think is a phishing, please forward it to phishing@nyu.edu.
  • Make sure, when you are logging into a single sign-on NYU service, that the URL displayed on your browser starts with https://shibboleth.nyu.edu.

If you do respond to a phishing attack, change your password immediately and check your Direct Deposit information in PeopleSync (Workday), which you can access from the NYUHome Work tab.

NYU is working on methods for adding another authentication step, as many banks have done, to ensure additional security.

NYU Email: Recognizing and Reporting Spam and Phishing

Spam is unsolicited bulk email. The key term is “unsolicited” — if you signed up for a mailing list (commercial or otherwise) which you no longer wish to receive, that is not spam. The easy differentiation is that legitimate businesses will have a mailing policy posted on the site where you sign up for the mail, and will give you correct information about how to unsubscribe. NYU Email powered by Google features built-in spam filtering. For more information on spam, please see our NYU Email: Removing spam from your inbox.

NYU Email, powered by Google, features built-in spam filtering. To read more about how it works and how to use it, see the ServiceLink knowledge base.

NYU recommends that you use the NYU Email web interface instead of email programs (Outlook, iPhone Mail, etc.). However, if you choose to use a desktop email client, you must create a filtering rule based on specific spam rating levels. Mail that matches the rule is then redirected into a folder of your choice and you can decide how you wish to handle the redirected messages. The filter level you select will determine the amount of spam you receive. If you find that you are receiving too much spam in your Inbox, try adjusting the level of filtering to be more strict. If you find that desired mail is being filtered, select a level that is less strict.

IMPORTANT: Keep in mind that some legitimate messages will end up in your spam folder if they exhibit characteristics of spam, for example, lots of capital letters, many exclamation points, or phrases such as “click here.” Therefore, it is important to check your spam folder regularly to ensure that you receive messages that may have been inadvertently flagged as spam.

Phishing messages appear to be sent from NYU, NYU IT, or other organizations affiliated with NYU requesting your personal information such as name, date of birth, password, etc. Do not reply to these messages. NYU IT will never request your password information. If a message informs you of an impending account closure or similar action unless you comply with its demands, it is often a sign that the message is a phishing scam. Do not comply with the request. To report phishing or spam attempts, please follow the instructions in the ServiceLink knowledge base.

This is an example of a Phishing email:

*From:* Abul Mohammed, Majeed (2014) [mailto: Majeed.AbulMohammed.2014@live.rhul.ac.uk]

*Sent:* Thursday, October 08, 2015 12:10 PM

*Subject:* NEW YORK UNIVERSITY.

Access to your e-mail account is about to expired.

Please Click here <http://maillonyuedu.weebly.com/> to restore access to

your e-mail account.

We apologize for any inconvenience and appreciate your understanding.

Regards.

New York University
70 Washington Square South
New York, NY 10012 (This is NOT our zipcode)
212.998.1212

 

To report phishing or spam attempts and for security tips for using email, see:

www.nyu.edu/servicelink/041202716305490

Printer Configuration Best Practices

Printers are a common intrusion point for access into an organizations network. It is a common misconception to think that printers are secure due to the nature of the simple tasks that they perform. However, printers are fully functional devices with exploitable services such as web servers, ftp services and hard drive device storage capabilities. It is therefore important that system administrators take appropriate steps to ensure that these devices are properly setup with adequate settings to secure them against compromise and malicious use.

Below are some recommended configuration best practices.

  1. Change the administrative password on the device from the default settings.
    All printers are shipped with a default administrative password. This password provides access to the printer configuration interface and could also expose printer job information to a malicious user. Print jobs that contain confidential data such as tax forms and your research work are some documents that could be acquired from a compromised printer.If the set password for the device is lost or forgotten, performing a factory reset can restore access to the device. Physical access to the device is required for this process.
  2. Disable the SMTP server service on the printer if you do not intend to mail out printer jobs from the printer.
    The SMTP service is an email processing application that when used as intended sends valuable email messages from the printer. For example, a scan to email print job or printer toner replacement notification message could be sent from the device. Likewise, this message service could be used to send out spam messages if the email service is not protected.
  3. Disable the SNMP service or change the community string default password if the service is required.
    The SNMP service is an administrative configuration protocol. It is commonly used for large-scale configuration of devices using some form of automation. It is most probable that this service is not required in your environment. It is recommended that the service be disabled unless when enterprise management of your device is required.
  4. Disable the following services:
    Printers include a myriad of additional services for different feature sets and deployment use cases. If these services are not required for your environment, it is best practice to disable these services on your device.

    • SLP (Service location protocol)
    • Telnet
    • MDNS
    • Multicast IPV4
    • Bonjour
    • IPX/SPX
  5. Set file-system password (Review documentation)
    The storage device on your printer can be used to store malicious code or gain access to stored print orders. It is therefore crucial that the storage resource is properly secured. System administrators are encouraged to review advanced settings documentation for their devices and apply vendor recommended settings for file system protection.
  6. Configure printing protocols
    Different printing protocols expand the printing capabilities of your printer. As an example, the IPP (Internet printing protocol) could be used to send printing jobs from the Internet. This access could allow the printing of marketing flyers from unsolicited sources. To prevent the abuse of your printer resource, limit available printing protocols on your printer to those required for your environment (i.e.,  lpr, lpd).
  7. Set control panel password (PJL service)
    Most display screens on printers allows for some form of customization. Although the risk impact of malicious access to the display setting is minimal, a malicious party could disrupt printing services by altering the touch screen capable features on your device. However, applying a password on your display setting function can easily mitigate this exploit.
  8. Set access list access and scope to NYU NYC IP ranges
    Your printer is an internal network service and as such should not be exposed to the Internet. Where possible, printers should be configured on a private network (RFC1918). Manufacturers are aware of the capabilities of these devices and have included new features that provide additional protections for publicly accessible printers. On access-list capable devices, configure your printer access rules. Scope the required access for your devices to the private and public NYU-NET IP ranges.FTP

Internet Explorer Vulnerability Affects All Versions

Microsoft has released an update that has been deemed critical for Internet Explorer affecting all supported versions from IE7 through 11. Microsoft says that the vulnerability could allow an attacker to take control of an affected system, and went to the somewhat unusual step of releasing patches out of its normal Patch Tuesday cycle for this vulnerability for the second time in a month.

A thorough description of the attack and how it works has not been published, but it is believed to operate on the “drive-by” attack principle. Simply by visiting a page with a malicious component, including specially crafted ads, can exploit the vulnerability.

If you have Automatic Updates enabled in your version of Windows, you need not take any action regarding this vulnerability. The patch will automatically be applied, and you should simply reboot your computer at your earliest opportunity. If you have for some reason disabled Automatic Updates, then you should run Windows Update as soon as possible. To update, simply locate your Search bar, type in “update” without the quotes, and then click on Windows Update. Follow the prompts to install any available updates, and reboot when prompted.
For more information on this vulnerability, you may read the article at this link:
IT Managers may read Microsoft’s detailed description at the following link:
As a reminder, Microsoft no longer supports versions of Windows older than Vista (i.e., Windows 95, 98, 2000, ME, and XP). If you are still using a version of Windows that is unsupported by Microsoft, these vulnerabilities, as well as any newly discovered ones going forward will remain unpatched. NYU TSS strongly recommends that you upgrade your operating system immediately by purchasing a new version of Windows or a new computer.