Recently the DoIT has been notified of a malicious actor trying to impersonate a UMBC staffer. The phishing email has the subject line “TASK” and a chain of emails from the scammer can be seen below. The example has had the name and email address of the victim removed for privacy reasons.

First the malicious actor sends an email asking if the user is available to help them. Note that in the first email there is a  sense of urgency as well as a lack of personalization to the recipient. These can be red flags of a phishing email.

In the second email, the scammer asks the user if they could run out to the store and get some gift cards for a meeting that the scammer is currently in. The text continues to foster a sense of urgency using words like “fast” and “quickly”.

In the  last email the scammer asks the user for five one hundred dollar Steam gift cards. Steam gift cards are used on Steam, a video game digital distribution service. The scammer will ask the user to send them a copy of the codes on the back of the gift cards.

If you do receive this or a similar email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

During the pandemic, Microsoft has seen a rise in phishing campaigns. One such campaign uses the Office 365 phishing via malicious OAuth apps. The phishing attack attempts to trick individuals into giving a malicious Office 365 app permission to their legitimate Office 365 account.

Open Authentication(OAuth) is an open standard protocol which allows users to give websites and applications access to their information without the use of a password or username. Popular sites that use OAuth include Google, Twitter etc.

When granting such access, you may see something like this:

Once the malicious Office 365 app is linked to your Office 365 account, the hackers can access your private information and any other sensitive data stored on your Office365 account. This malicious Office 365 app asks for permissions which include but are not limited to:

• Reading your contacts.

• Reading your mail.

• Reading all OneNote notebooks that you can access. 

• Reading and writing to your mailbox settings.

• Having full access to all files you have access to.

Microsoft has taken legal actions against 6 domains that store the malicious Office 365 applications.

However, you can check the apps and services that you have given consent to access your Office 365

information.

To disable these permissions:

1. Visit: https://account.live.com/consent/Manage?uaid=a11edb2059b64ae499fce9f494c2f53f

2. Click Edit

3. Click Remove these permissions

Source: https://www.bleepingcomputer.com/news/security/microsoft-warns-of-office-365-phishing-via-malicious-oauth-apps/

https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/

_________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

According to an article by the Cybersecurity and Infrastructure Security Agency (CISA), there has been a recent phishing email campaign trying to deploy malware onto victims' devices. This malware will allow the malicious actor to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected devices.

This campaign works by sending out emails containing a Microsoft Word document. This document will have an application macro hidden within it to deploy the malware onto the victim's device. This malicious macro code can change font color from light gray to black (to trick victims into enabling content), check whether the Windows operating system is 32 or 64-bit, and construct and execute a command line to download additional files.

Once the malware is installed onto the victim's device, the malicious actor has many different techniques available to exploit the targeted system. Among these are:

• Collect user information from the infected device, for example their IP addresses, username and file data.

• Create shortcuts named Anti virus service.lnk in an attempt to hide as a legitimate file.

• Capture keystrokes.

• Take a snapshot of the current processes state of the user's machine.

• Use PowerShell to download and execute different versions of the malware.

• Execute arbitrary code on the infected device.

• Delete files.

• Gather the operating system version, architecture information, connected drives, hostname, and the computer name. Also has been able to get a snapshot of the current system state of the targets machine.

• Download and execute files on the victim's machine.

• Take screenshots of the victim's machine.

• Steal data from the victim's clipboard.

• Drop a Windows shortcut into the victim's startup folder and/or just onto the machine.

• Steal profile credential information from Firefox, Chrome, and Opera.

For more information on what the malware can do, a link to the article can be found below. The article also lists some tips for victims and administrators to strengthen their security.

• Maintain up-to-date antivirus software.

• Keep your operating system up to date.

• If possible either disable file and printer sharing services. If you have to have this enabled, use strong passwords or Active Directory authentication.

• Do not add victims to the local administrator group unless required.

• Keep and enforce strong passwords.

• Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.

• Make sure you have your firewall up to date and enabled.

• Disable unnecessary services on workstations and servers.

• Scan for and remove suspicious email attachments.

• Exercise caution when using removable media, for example USBs and CDs.

• Scan any file that you download before using it.

If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please do not download any attachments from a suspicious email as that could put your device at risk. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

For more information on this topic, please check out: 

https://us-cert.cisa.gov/ncas/alerts/aa20-227a

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

Below is another example of a phishing email campaign in which the malicious actor is claiming to be from Corestaff Services. The email below is the initial message sent out to victims to try and get to to respond with an alternate (non-UMBC) email address.

Once the victim responds with their alternate email address, the scammer will then email that address claiming that the victim got the job and asking for more information. An example of what type of information and how it is formatted in the email is shown below.

If the victim responds with their personal information, the scammer could start messaging the victim over text message and may send a fraudulent check to the victim’s postal address. If this happens to you, please do not try to deposit the check. A very similar scam is described here: https://itsecurity.umbc.edu/critical/?id=94549.

If you do receive this or a similar scam, please DO NOT respond any further or click on any URLs. If you have provided any banking or financial information, please notify your bank or financial institution immediately. If you have been sent a check, you should not attempt to cash or deposit it. If you have deposited a check already, please contact your bank and tell them that it may be part of a scam.

Whether or not you responded to the scam or not, please forward the message (with the email headers) to security@umbc.edu.  We will also keep track of any other information you submit about the scammers, such as their phone numbers if you receive a text message from the scammer.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

DoIT has been notified of a phishing scam where the malicious actor was trying to impersonate a UMBC staffer. Below is an example of the email with the name, the email address of the sender, and the signature of the email removed for privacy reasons.

This and other similar phishing attempts seem to target certain departments of UMBC by trying to impersonate one of the staffers in that department. In previous cases of similar scams, if the user responds, the malicious actor could ask the user to send them money in the form of iTunes cards, gift cards, prepaid debit cards, money order, or even bitcoin.

In the case above, note that the scammer sent their email from a gmail and not a UMBC email. The email also tries to trick users by having “.edu” before the @gmail. 

The scammer also tried to make the email look as legitimate as possible by putting an email signature that was meant to look similar to those the persons they were impersonating. The scammer also created a sense of urgency by having the email subject be in all caps and say “QUICK REQUEST.”

If you do receive this or a similar email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

The Cybersecurity and Infrastructure Security Agency (CISA) announced a new phishing email campaign spoofing the Small Business Administration (SBA). This email has the subject “SBA Application – Review and Proceed” and contains a link to a fake SBA website login page, allowing scammers to harvest credentials from unsuspecting victims. Here is an image of the malicious site, provided in CISA’s alert.

For more information, including a list of known sender addresses and URLs, please see the original alert athttps://us-cert.cisa.gov/ncas/alerts/aa20-225a.

If you receive any suspicious email, please do not respond or click any links. Instead, forward the message and full headers to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

Similar to other work from home phishing attempts targeting the UMBC community, this one follows the pattern. A malicious actor who claims to be from a company, in this case Cisco, offers the victim a job. This email also shows the subject line of “WORK FROM HOME” in all caps. An example of this phishing email can be seen below:

Past phishing emails attempts like this one ask the victim to reply with their personal (non-UMBC) email. Then the malicious actor would ask for more personal information such as the phone number, address, current job, and even the birthdate of the victim.

After the victim responds, they would receive another email. This email would be confirming that the victim got the job and that the scammer would be sending the first paycheck. In scams similar to this one the scammer has been known to text victims too.

If you do receive this or a similar scam, please DO NOT respond any further or click on any URLs. If you have provided any banking or financial information, please notify your bank or financial institution immediately. If you have been sent a check, you should not attempt to cash or deposit it. If you have deposited a check already, please contact your bank and tell them that it may be part of a scam.

Whether or not you responded to the scam or not, please forward the message (with the email headers) to security@umbc.edu.  We will also keep track of any other information you submit about the scammers, such as their phone numbers if you receive a text message from the malicious actor.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

In March 2020, Chatbook, a photo print service, suffered a data breach. Approximately 15 million user records were put up for sale on a dark web marketplace. This information includes email address, names, phone numbers, social media profiles and password. 

19 UMBC accounts were affected by this breach. The affected individuals have been notified via their UMBC emails and/or their alternate emails. If you have a Chatbooks account, please contact them to see if you have been affected by this breach.

This information was provided to Have I Been Pwned(HIBP) by dehashed.com.

For more information about the Chatbooks breach visit:

https://www.bleepingcomputer.com/news/security/chatbooks-discloses-data-breach-after-data-sold-on-dark-web/

To setup a recovery email for your UMBC account follow the instructions here:

https://my3.my.umbc.edu/groups/itsecurity/posts/94776

If you have any questions or concerns email us: security@umbc.edu_________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

DoIT Security has received a new variation of a classic get-rich-quick scam, this time claiming to be from a Powerball winner who wishes to distribute millions of dollars, supposedly to lessen the impact of COVID-19. Over 5000 UMBC addresses received emails from this sender, most likely containing the same message.

From: "Bill and Helene" <kkt-co@beige.plala.or.jp>

Subject: We Have Private For Donation

Date: Tue, 11 Aug 2020 14:26:21 +0900

--

The Corona Virus (COVID-19) Outbreak isn't just a major health

crisis -- It's also a large economic disruption leading to people

Losing their Jobs and making it harder to take care of their

Families.

We know that a little financial support can go a Long Way.

I'm Bill Lawrence from Sacramento California the Winner of 150 million

United State Dollars Jackpot from the Power ball lottery held on

December 16, 2019. My Jackpot was a gift from God to me.

Hence my entire Family has agreed to do this.

We are donating $75 million to Help individuals and Small Scale

Businesses around the world.

I write to inform you that Google in alliance with Microsoft and Yahoo has submitted your

"Email" to my request to receive a donation amount of $5,000,000

Please accept this Token as a Gift From me and My Family.

We await your urgent response Via email heleneandbill97@gmail.com

Bill and Helene Lawrence

https://www.powerball.com/winner-story/150-million-powerball-ticket-claimed

Messages like these, which promise large amounts of money, are most likely advance-fee scams. Also known as Nigerian Prince scams, or 419 scams, advance-fee scams promise a large amount of money that can be claimed after paying a comparatively small fee. After a victim pays the fee, the scammer may claim to need another fee, or may vanish. Either way, victims will never receive any money in return.

In addition to the irregular grammar and capitalization, note the From address with a .jp domain, and the time zone, UTC+0900. Both of these indicate that the message originated in Japan, not California. Although the URL provided appears to be legitimate, it does not indicate that the message is really from the Powerball winner. It is always best not to click links in suspicious emails, as they may contain malware, steal personal information, or, as in this case, simply provide misleading information when used in the context of a scam email.

If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DoIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice.

In  the article linked below, the Better Business Bureau is warning of government imposter scams. In these scams, a malicious actor will call or even message the victim claiming to be from a government agency. Their goals are usually to steal the victim’s personal and financial information, to steal the victim’s  money or or to persuade the victim to install malware. 

According to the article, most Americans have encountered this scam before. Research done by the Better Business Bureau found that the Social Security Administration, Service Canada, the Internal Revenue Service (IRS) and the Canada Revenue Agency are among the most impersonated.

Some examples of Social Security-related impersonation scams:

• Increase a benefit: In this scam the malicious actor will claim that the victim is eligible for increased benefits, typically due to a cost of living increase. The malicious actor will request bank account details so that the money can be deposited into the victim’s account. Once the malicious actor has the banking information they are able to steal money from the account.

• Restoring Social Security Number: Some malicious actors will claim the victim's Social Security Number has been suspended. The malicious actor will ask the victim to pay for it to be restored. They may also ask for the victim's Social Security account information, which allows them to apply for benefits under the victims name.

• Social Security Number used in a crime, in this scam the malicious actor will threaten arrest if the victim does not respond immediately.
  
  

When the IRS is used as a cover instead of the Social Security Agency the scams vary, though they have many similarities to the Social Security scams.  For instance,  the malicious actor may claim to be an IRS agent and threaten the victim with arrest for unpaid taxes or even fraud. 

The only way to avoid being arrested, the victim is told,  is by paying a fine (or the unpaid taxes) immediately.  Victims are told to buy gift cards and to provide the caller with the number on the back of each card. But of course these threats are fake, and these are just scammers trying to use fear to get the victims money or information. 

Just as with phishing scams, the malicious actors follow the headlines and change their scams with thet latest news. During the Covid-19 pandemic and after the passage of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, scammers started to claim to be from the CDC or the United States Treasury Department in order to manipulate and steal personal and financial information from victims.

Some examples of Covid-19 related impersonation scams are: 

• Relief benefits: Malicious actors claiming to be from the IRS and offering to expedite benefits under the CARES Act.

• Fake donations: Malicious actors claiming to be from the CDC requesting donations. Email and text messages making these claims may arrive with malware or URLs that could cause harm to the victim's device.

• Contact tracing scams: Email, texts, or messages on social media claiming to be from contact tracers informing the victim that they have come in contact with someone who has tested positive for Covid-19. These scammers seek personal information and/or send messages that may contain malware. For official information on contact tracing efforts in Maryland please visit https://coronavirus.maryland.gov/pages/contact-tracing.

Scammers have also threatened arrest for missing jury duty, impersonated immigration officials threatening to deport the victim, and offered free money in the form of government grants.

Some red flags to watch for to see if the person claiming to be from a government agency is actually a malicious actor:

• The IRS generally first contacts people by the postal mail. Never provide your bank account or other personal information to anyone who calls you.

• Don’t pay by gift cards. The IRS and other government agencies will not idemand or even accept payment using iTunes cards, gift cards, prepaid debit cards, money order, bitcoin or cash.

• The IRS will never request personal or financial information by email, text, or any social media platform. Do not click on any links in unsolicited emails or text messages.

• Social Security numbers are never “suspended”.

• Caller ID cannot be trusted to confirm that the source is from a government agency. Look up the phone number for the agency and call to see if they are really trying to contact you.

• The Social Security Administration will never threaten to arrest you because of an identity theft problem. 

If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

For more information, please check out: 

https://www.bbb.org/article/news-releases/22775-government-impostors-study

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19