A compromised UMBC account was used to send phishing emails to over 1200 other UMBC accounts today. These malicious emails, claiming to be from the “UMBC IT Desk,” contained a link to a fake myUMBC login page, potentially allowing the malicious actors to steal any passwords entered on the site. To prevent further malicious activity, DoIT Security has scrambled the password of the account used to send the emails.

From: <name removed>

Date: Mon, Aug 24, 2020 at 10:40 AM

Subject: COVID-19 Update

To:

This is the UMBC IT Desk. Kindly Update your details to avoid beinglocked out of your email account.

Follow the URLbelow to proceed to setup umbc.edu/cas-web/login/Update

IT DeskUMBC

The link leads to this fake login page:

Always check the URL before entering credentials online. Notice that this site is not in the umbc.edu domain, despite claiming to be myUMBC. In addition, you can compare it to the real login page by navigating to myUMBC without using a link to see that it does not match.

As of this writing, approximately 150 people have clicked this link. If you have entered your UMBC password after clicking the link in this phishing email, please change it to something substantively different as soon as possible. Instructions for doing so can be found here:https://wiki.umbc.edu/pages/viewpage.action?pageId=1867939.

If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

In January 2020, Zoosk 2020, an online dating service, suffered a data breach. This breach contained 24 million users data that was posted online. The user information includes dates of birth, drinking habits, education levels, email addresses, ethnicities, family structure, genders, geographic locations, income levels, names, nicknames, physical attributes, political views, relationship statuses, religions, sexual orientations,and smoking habits. While the passwords posted were not valid for access to UMBC accounts, we suggest you change your UMBC password as a safety precaution.

76 UMBC accounts were victims of this breach. The victims are being notified via their UMBC emails and/or their alternate emails. If you have a Zoosk (2020) account, please contact them to see if you have been affected by this breach. To see if you were involved in any other breach visit: https://haveibeenpwned.com/.

More about Zoosk(2020) data breach:

https://grahamcluley.com/zoosk-hacking/

https://www.justice4you.com/blog/zoosk-data-breach.html#:~:text=According%20to%20the%20notice%2C%20an%20unauthorized%20party%20breached,by%20email%2C%20including%20more%20than%20560%2C000%20California%20residents.

If you have any questions or concerns email us: security@umbc.edu 

Information about this breach was provided to us by Have I Been Pwned(HIBP). 

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

In July 2020, an online alcohol delivery service, Drizly, suffered a data breach. This breach contained 2.5 million customers data that was sold online, and then posted on a hacking forum. The customer information includes names, email addresses, IP addresses, physical addresses, date of birth, phone numbers, and passwords. No financial information was leaked.

106 UMBC accounts were victims of this breach. The victims are being notified via their UMBC emails and/or their alternate emails. If you have a Drizly account, please contact them to see if you have been affected by this breach. To see if you were involved in any other breach visit: https://haveibeenpwned.com/.

More about Drizly data breach:

https://techcrunch.com/2020/07/28/drizly-data-breach/

https://www.forbes.com/sites/katedingwall/2020/07/29/alcohol-e-commerce-giant-drizly-hit-with-huge-data-breach/#63b0d40b5a96

If you have any questions or concerns email us: security@umbc.edu 

Information about this breach was provided to us by Have I Been Pwned(HIBP). 

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

In June 2020, Havenly, an interior design website, suffered a data breach. Approximately 1.4 million members' personal information was exposed. This data includes names, email, phone numbers, addresses and passwords stored as SHA-1 hashes. This information was shared on an online hacking community. 

28 UMBC accounts were affected by this breach. The victims have been notified via their UMBC emails and/or their alternate emails. If you have a Havenly account, please contact them to see if you have been affected by this breach.

More about Heavenly data breach:

https://www.bleepingcomputer.com/news/security/hacker-leaks-386-million-user-records-from-18-companies-for-free/ 

If you have any questions or concerns email us: security@umbc.edu 

Information about this breach was provided to us by Have I Been Pwned(HIBP).

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

In June 2020, a marketing video creator website, Promo, suffered a data breach. 22 million users' personal information was leaked on an online hacking forum. This data includes names, email, gender, IP addresses and passwords stored as SHA-256 hashes. This information was shared on an online hacking community. 

34 UMBC accounts were affected by this breach. The victims have been notified via their UMBC emails and/or their alternate emails. If you have a Promo account, please contact them to see if you have been affected by this breach. Also visit https://haveibeenpwned.com/ to see if you were involved in any other breach.

More about Promo data breach:

https://support.promo.com/en/articles/4276475-promo-data-breach-faq 

https://www.bleepingcomputer.com/news/security/promocom-discloses-data-breach-after-22m-user-records-leaked-online/#:~:text=Promo.com%2C%20an%20Israeli-based%20marketing%20video%20creation%20site%2C%20has,networks%20such%20as%20Facebook%2C%20Instagram%2C%20Twitter%2C%20and%20LinkedIn.

If you have any questions or concerns email us: security@umbc.edu 

Information about this breach was provided to us by Have I Been Pwned(HIBP). 

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

In June 2020, ProctorU, an online examination service, suffered a data breach. Over 444K user records were exposed and posted to an online hacking community. These records contain names, emails, physical addresses, phone numbers and passwords.

36UMBC accounts were affected by this breach. The victims have been notified via their UMBC emails and/or their alternate emails. If you have a ProctorU account, please contact them to see if you have been affected by this breach. To see if you were involved in any other breach visit: https://haveibeenpwned.com/.

More about ProctorU data breach:

https://www.smh.com.au/national/hackers-hit-university-online-exam-tool-20200806-p55j6h.html

https://www.bleepingcomputer.com/news/security/proctoru-confirms-data-breach-after-database-leaked-online/

If you have any questions or concerns email us: security@umbc.edu 

Information about this breach was provided to us by Have I Been Pwned(HIBP). 

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

Malicious actors are using Covid-19 and current economic conditions to exploit victims with new phishing scams. The article linked below talks about two similar phishing scams. One scam claims to be giving the user a bonus while mimicking a Microsoft SharePoint notification. The other attempts to spoof a Microsoft Planner email notification. Both scams are trying to steal the user’s Microsoft login credentials. 

“Summer Bonus” Phishing Scam

The scammer sends an email that looks like a legitimate Microsoft SharePoint notification. The email offers what looks like a bonus for the month while also having an “open” button to display an explanatory file. An example of this email is shown below.

If the victim clicks on the “open” button they will be brought to a website that looks very similar to a Microsoft login page. A closer look reveals that this is not a link to a Microsoft login page but to an AppSpot site created by the scammers. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers.

If the victim enters their login credentials into the fake Microsoft login page, their account would be compromised.

Microsoft Planner Phishing Scam

Similar to the “Summer Bonus” scam, this Microsoft Planner Phishing Scam uses an email that tries to spoof a Microsoft Planner notification. As in the “Summer Bonus” scam, it has a button but this one says “Open in Microsoft Planner” and will take you to a fake Microsoft login page. An example of this email is shown below.

As with the previous scam, if the victim enters their login credentials into the fake Microsoft login page, their account would be compromised.

To avoid these scams, make sure the site you land on after clicking the button is really a Microsoft domain. If the site is a login for Microsoft then the URL should direct your browser to a legitimate Microsoft domain.

Even before clicking any buttons, look at the From address in the headers. The scammer’s display name makes it appear as if it belongs to the targeted company. The headers can show if the From email address itself is spoofed and who is actually sending the email to you. 

Always remember that if it feels “too good to be true”, then it is probably too good to be true. It is also good practice to check with a supervisor before responding to any unsolicited requests for credentials or logins that appear to come from your employer.

If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

The images and the original article can be found here. Please check it out for more information: 

https://www.area1security.com/blog/july-bonus-microsoft-spear-phishing/?utm_medium=email&utm_source=blast&utm_term=na&utm_content=na&utm_campaign=2020-Q3-Email-Blast-Spot-Campaign&mkt_tok=eyJpIjoiWVdKbE1HVXlOakkzWVRWaiIsInQiOiJFWnFFZVYxYXBuTFpcLytrc1hzNkFodUZ1XC9CbWRPcUROYmhMWlM0NisyZmo3K0cybFFyY0xmMnhYXC9lYUIzMit2UXZGYzFPTURmTSt2Z1cxRDkxOTladFUwVGl5Wmczd2FmZWFvSkRZZm9iN0FVZGh0TGs2b2FlazhaSFU0ZWhzbSJ9

To read more articles published by DoIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

Recently DoIT has been notified that an email scammer has been trying to impersonate other UMBC staffers. The email comes from a scammer who is claiming to be someone from UMBC and has the Subject “Quick response.” An example of this phishing email can be seen below.

The email that is shown above is only the first email that the scammer will send to users to try and get their attention. In similar phishing emails, once the user responds  the scammers would claim that they were stuck in a meeting and ask the user if they could go to the store and buy them gift cards. 

Even though this email is short it still shows some red flags of a phishing email. 

• The email itself is not personalized and is very vague. The reason for this is so that the scammer can send the email to as many people as possible.

• There is a sense of urgency. Even with this email being so short, the sense of urgency comes with the subject line of “Quick response” trying to show that they need you to respond as soon as possible.

• The From email address is suspicious. Some scammers will use addresses of the form <johnsmith.umbc@gmail.com>. Without a closer examination some might assume it is coming from a UMBC source while in actuality it is coming from an unknown Google mail address.

• The email signature and name are meant to look legitimate. The scammer will try to base their phishing email on that of the person they are trying to impersonate. This will include an email signature meant to look like an actual UMBC staff member’s and the sender's name being that of the person they are trying to impersonate, often a supervisor. 

You can find other examples of similar scams here https://itsecurity.umbc.edu/critical/?id=94968 and https://itsecurity.umbc.edu/critical/?id=94950 or check out the DoIT Security page main page for more updated information.

If you do receive this or a similar email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

In February 2020, the guitar tuition website TrueFire suffered a data breach. Over 600,000 individuals were affected. Information such as names, emails, addresses, account balances, and passwords were exposed. 

Five UMBC email addresses were victims of this breach. These individuals were notified via their UMBC emails and/or their recovery emails. If you have a Truefire membership, please contact them to see if you were affected by this breach. If you have any questions or concerns email us: security@umbc.edu

Information about this breach was provided to Have I Been Pwned(HIBP) by dehashed.com.

More about Truefire data breach:

https://guitar.com/news/industry-news/truefire-data-breach/https://guitar.com/news/industry-news/truefire-data-breach/

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

The DoIT has recently been notified of a malicious actor trying to impersonate a UMBC staffer. This scammer is sending emails with the subject line “QUICK REQUEST” and asking victims if they are available with the goal of getting gift cards from the victim. An example of an email chain is shown below with the name of the From and the email signature removed for privacy reasons.

The scammer targets a department and tries to impersonate some senior person in that department. The scammer will send emails asking the victim if they are “available.” 

If the victim respondes, they will receive a second email asking the victim to purchase gift cards because the scammer is currently in a meeting and can’t do it themselves. Note that the second email has poor grammar and random capitalizations. This email also has a sense of urgency with the scammer claiming to be in a meeting and using words like “important” and the subject “QUICK REQUEST” all in caps.

Note that the sender’s address in both messages is <.umbc@gmail.com>. The full email from the scammer was shortened for privacy reasons. This address allows the victim to see the “umbc” and, without close examination, to assume that the message is coming from a UMBC source when in actuality it is coming from an unknown Google mail address. The email also had an email signature which was based on that of an actual UMBC staff member.

If you do receive this or any other email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19