Print Page | Contact Us | Report Abuse | Sign In | Register
CyberSecurity
Share |

CYBERSECURITY

The NJLTA is pleased to present the latest news in cybersecurity.

______________________________________________________

How to detect mortgage wire fraud before it is too late

A day-by-day look at a fraud case

Wire fraud victims have few options once they discover they’ve been had. But when minutes mattered, one Michigan homebuyer enlisted the help of a few friends—and made a recovery. What follows is an actual instance of mortgage wire fraud. Here's how it got detected, before it was too late.

Tuesday, November 28, 2017, 9:28 a.m. EST: Although the stiff breeze was perfectly normal for a late autumn afternoon, the bright sunshine and 60-degree temperatures contrasted starkly with the Christmas decorations adorning downtown Grand Haven, Michigan.  But, lost in his thoughts, Tom Erickson didn’t have time to take in the scenery as he strode to his office. He had just reached an agreement with the owner of a property adjacent to his own on the East side of town – he would be purchasing the new property for $135,000 cash. He was familiar with the seller’s real estate agent...

Click here to learn more

______________________________________________________

Four Ways To Protect Yourself And Your Devices On Public Wi-Fi

Starbucks has cemented an image of itself as America’s coffee shop. A national franchise, the company has over 13,000 locations nationwide. The coffee chain has made concerted efforts to accommodate its customers, including offering complimentary public Wi-Fi and plenty of 120-volt outlets at its stores to power mobile devices.

Click here for more information

_______________________________________________________

DAVID W. MYERS: Buyers become more vulnerable as computer hackers hone their skills

As the prime spring home buying season heats up, so does a new twist on an email scam that can delay a sale’s closing date — or worse, cost buyers thousands of dollars.

DEAR MR. MYERS: We agreed to buy a house, and the deal was set to close on April 13. A few days before the scheduled closing date, we received an official-looking email providing us with final instructions for where the money needed to complete the transaction should be wired. We were suspicious because the new instructions were different from the ones that we had originally received, so we called our agent and he discovered that it was a complete scam! It took a few extra days to clear up the mess and close the deal, but at least we didn’t lose any money. Please let your readers know about this type of fraud.

Click here for answer

______________________________________________________

Dropbox Phishing Campaign Targets
NJ Accounts

The NJCCIC has detected a phishing campaign targeting New Jersey agencies that is crafted to obtain login credentials for Dropbox accounts. As Dropbox is a common platform used by businesses and organizations to share and access files remotely, compromised credentials could pose a significant risk to data security. This campaign delivers unsolicited emails with an embedded URL that redirects users to a fraudulent Dropbox login page designed to mimic the legitimate website. Email subject lines observed in this campaign include “Re: Statement,” “document,” “Confidential documents from,” and “Dropbox From.” The phishing emails have contained attachments titled “anz group_confidential.pdf,” “scanned with Xerox.pdf,” and “contract.pdf.” According to Proofpoint’s “The Human Factor Report 2018,” Dropbox account phishing was the top phishing attack by volume. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links delivered in unexpected or unsolicited emails, especially to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Bank regulators issue guidance on cyber insurance

Federal bank regulators issued a statement on April 10 alerting banks of risk management issues regarding cyber insurance coverage.

The statement was issued jointly by the Federal Reserve, FDIC, OCC, NCUA and CFPB through their affiliation in the Federal Financial Institutions Examination Council (FFIEC).

Statement cites cyber incident risk and role of insurance

The statement acknowledges the increasing number and sophistication of cyber incidents, such as data breaches, that make consideration and evaluation of cyber insurance protections worthwhile for banks of all sizes.

Although the regulators do not require banks to obtain cyber insurance coverage, the statement explains that such coverage can be an important part of a bank’s overall risk management program by offsetting losses stemming from cyber incident risks. Those losses can result from customer identity theft, fraud and even extortion. Losses can include income decreases, lawsuits, regulatory fines and reputation damage.

Evaluation of cyber insurance coverage and related risks

In considering a cyber insurance policy, the statement advises each bank to involve multiple stakeholders within its organization (for example, legal, risk management, IT and financial staff) to review the bank’s existing control environment and related cyber risks. The statement also advises banks to consider due diligence to evaluate existing and potential cyber insurance coverage by:

  • Reviewing coverage scope and identifying gaps;
  • Understanding coverage triggers, limits, sub-limits, exclusions and costs;
  • Assessing the financial strength and claims paying history of the insurance carrier;
  • Understanding the policy’s risk management requirements for the bank that may impact coverage; and
  • Avoiding over-reliance on insurance coverage to mitigate cyber risks.

Cyber insurance policy variances

Cyber insurance can be obtained in stand-alone policies. General liability and other types of standard insurance policies may include some coverage for cyber incidents, but banks should not assume this without confirmation. The standard general liability policy, typical directors’ and officers’ liability policies, and many other liability policies are unlikely to satisfy first party loss suffered by the insured, including its expenses in responding to a cyber incident.

Cyber insurance policy coverage can vary greatly by provider and policy type, so banks should be careful to ensure that they fully understand their existing and potential coverage to properly manage cyber risks.

Thompson Coburn cyber insurance program and cyber incident response practice

In 2017, Thompson Coburn presented an overview of cyber insurance coverage issues and risks for the Association of Corporate Counsel, entitled “Are you protected? Insurance coverage for cyber risks” at the St. Louis Chapter Corporate Counsel Institute. This presentation (which is accessible via the link above) provided a more in-depth review of some of the issues addressed in the FFIEC joint statement.

Thompson Coburn partners have advised clients on cyber insurance issues through evaluation of policies being reviewed, as well as through the claims process that unfolds after a cyber incident. Thompson Coburn also has a cybersecurity practice group devoted to managing cyber incident response for clients.

Click here to learn more

______________________________________________________

New home buyers nearly scammed $180,000 in wire transfer scheme

KENT COUNTY, MI -- After a new home buyer was nearly scammed $180,000 in a wire-transfer scheme, police are warning home buyers to be cautious about making large financial transactions without double-checking with other parties in the deal.

Kent County sheriff's deputies said a person buying a new home was scheduled to close in a few days when they received two emails that appeared legitimate -- one from their builder and another their bank -- requesting they send their down payment by wire instead of the usual cashier's check at closing.

______________________________________________________

Types of Firewalls: What IT Security Pros Need to Know

Firewalls are as central to IT security as anti-virus programs are to PCs, and the multi-billion-dollar market remains large and growing.

In the broadest terms, firewalls are like bouncers or doormen: They stand at the entrances to corporate networks, applications, databases and other resources, scrutinizing incoming (and outgoing) data traffic, and deciding what can pass through those entrances and what should be rejected.

But the term "firewall" is far too broad to be of much use to IT security buyers. There are many different types of firewalls, each of which works in different ways to protect different types of resources, both within data centers and corporate perimeters and outside in the cloud.

Here are the most important types of firewalls you need to know about:

Click here to learn more

______________________________________________________

Rapid Ransomware Impacts NJ Organization

The February 15, 2018 NJCCIC Weekly Bulletin contained a Threat Alert detailing an emerging email scam campaign attempting to deliver Rapid Ransomware to victims in the form of fraudulent correspondence from the Internal Revenue Service (IRS). This week, the NJCCIC received a report from a New Jersey organization that was recently infected with Rapid Ransomware, possibly via Remote Desktop Protocol (RDP) compromise. Rapid Ransomware was first discovered in January 2018 and is an especially disruptive variant as the malware deletes Volume Shadow Copies and disables automatic repairs, making restoring files nearly impossible without comprehensive and unaffected backups of the impacted data. Additionally, Rapid Ransomware stays active and continues to encrypt files after the initial infection process. Last week, a second version of Rapid Ransomware was detected which suggests that this campaign will remain active and target additional victims. The NJCCIC would like to remind members that the best way to ensure the integrity and availability of data before, during, and after a ransomware attack is by implementing a comprehensive data backup and recovery plan that includes regularly testing backups, storing them off the network, and keeping them in a secure location. Additionally, keep all systems and software updated to the latest vendor-supported patch levels to mitigate against the exploitation of known vulnerabilities. For a list of additional ransomware mitigation strategies, please download our two-page guide here . If you are targeted by this or another ransomware campaign, please report the incident to your local police department and the FBI, either directly to their local field office or through their website at www.ic3.gov. You may also report it to the NJCCIC via the Cyber Incident Report Form on our website.

Reprinted from the NJCCIC Bulletin

______________________________________________________

New SMS-Based Phishing Campaign Targets NJCCIC Analyst


On March 28, the NJCCIC detected a new SMS-based phishing campaign designed to obtain security PINs associated with mobile carrier accounts when one of our analysts received a text message on her phone instructing her to update her PIN by visiting a URL included in the message. This particular SMS message masquerades as official correspondence from AT&T, but originates from a suspicious phone number and contains grammatical errors. The URL included in this message, attonline[.]net, was newly registered on March 25 and leads to a phishing page that displays the AT&T logo and provides fields for the victim to enter his or her name, phone number, billing zip code, and current account PIN. Information submitted through this page will then likely be used by the malicious actor behind the campaign to contact the associated mobile carrier, impersonate the victim, and port the victim’s phone number to a phone or SIM card that is in the actor’s possession. Once the targeted phone number has been successfully ported, the malicious actor can then use it to gain access to any of the victim’s accounts that have SMS-based two-factor authentication (2FA) enabled, such as email, social media, and financial accounts. The NJCCIC recommends maintaining awareness of SMS-based phishing attacks and avoid clicking on URLs contained within unexpected and unsolicited text messages. Additionally, never reply to any unsolicited text message that requests personal or sensitive information. If you have questions or concerns regarding your mobile carrier account, we urge you to contact the company directly via their official website or designated customer support number. For more information about mobile number porting scams, please read our blog posts titled Hackers Are Circumventing 2FA and Here's What You Can Do About It and Protect Your Mobile Phone Numbers from Porting Scams.
______________________________________________________

Hackers impersonating mortgage and title staffers in wealthy Texas suburb to steal down payments

Police in Southlake issue warning about imposters

Hackers are posing mortgage and title insurance company employees in order to steal the down payments of homebuyers in one of the wealthiest cities in the country.

Police in Southlake, Texas, a suburb of the Dallas/Ft. Worth Metroplex and the fourth wealthiest city in the U.S., based on data from the Census Bureau, issued a warning this week about scammers who are hacking into the email accounts of real estate professionals and then pose as title company employees in order to steal a homebuyer’s down payment.

And in Southlake, the down payments can be quite high.

According to the Southlake PD, they’ve seen about 10 cases in the last six months where hackers attempted to steal a homebuyer’s down payment.

And this is hardly the first time a scam like this has been uncovered.

Click here to learn more

______________________________________________________

Local home buyer loses $31,000 in mortgage closing scam

FORT WAYNE, Ind. (WANE) – The housing market in the Summit City is booming but buyers should beware. Home buyers are being scammed out of the money they thought was going towards a down payment.

At least two people have been targeted to the tune of tens-of-thousands of dollars.

The scams use what’s called mortgage wire fraud; largest and fastest growing scam affecting homeowners in the United States according to an expert NewsChannel 15 spoke with...

Click here to learn more

______________________________________________________

7 Ways to Prepare for a Cybersecurity Audit

Start by counting your devices, then move onto these other key steps. 

 

Data breaches, phishing attacks, information disclosure – the Internet can be a scary place. Conducting a cybersecurity audit (or getting a third-party assessment) is a great way to understand your organization’s cybersecurity posture. But, like preparing any exam or review, getting ready for a cybersecurity audit can be intimidating. While every security assessment will be a bit different, here are seven ways you can prepare for your next cybersecurity audit.

#1: Count your devices

How can you protect something if you aren’t aware it’s out there? The first step for any good security plan is to count every device that’s connected to your network. Be sure to include not just desktops and laptops, but also cell phones, printers, or security systems which are integrated...

Click here to learn more

______________________________________________________

Fraudulent Windows Prompt Targets Domain Credentials

Threat actors are utilizing a PowerShell script recently posted on GitHub to generate fraudulent request prompts that attempt to steal Windows domain credentials. If a user enters their credentials, the script will attempt to validate the victim’s domain and, if successful, will transmit the username and password to a remote server. If the credentials are deemed incorrect, the script will continuously display a prompt until the process is manually terminated. Users can close the prompt by opening Task Manager and terminating the “Windows PowerShell” process. Researchers have warned that this script can be altered to display more convincing titles; however, the prompt will still display the blue ribbon and an image of a set of keys. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them to be wary of suspicious prompts requiring the input of account credentials.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Cybercrime And How To Prevent It [INFOGRAPHIC]

With the growth in ecommerce comes a huge risk to businesses and the personal and financial information they hold; never before has this information been such a high-risk asset.

Although there are constant new developments being made to combat these crimes, there are also new and ingenious ways hackers and cybercriminals develop to get around them.

Cybercrime comes in many shapes and forms: malware, stolen devices, DDoS attacks, malicious program, web based attacks, and ransomware, to name but a few of the many.

Online businesses are often targeted across all industries, including the medical and healthcare fields which are particularly valuable due to the sensitive information they hold. It is not just businesses which are under threat – as an individual you are likely to have been the subject of... 

Click here to learn more

______________________________________________________

Cyber At a Glance

Digital Copiers are Computers, Too - The Importance of Securing Physical Documents
Comment: Although often overlooked and forgotten when it comes to security, multifunction printers can pose a significant risk to data and networks when improperly configured. Printers with open and exposed ports as well as default login credentials or no user authentication requirements can allow both internal and remote threat actors to gain unauthorized access to the device and potentially sensitive data stored within its memory. Secure network-connected printers by closing unneeded ports, requiring user authentication and implementing user-based access control, and encrypting all data traveling between the printers and other devices. Clear printer memories often, especially before decommissioning them, and track and log all printer activity in the event any are discovered to be the source of a data breach.

Reprinted from the NJCCIC Bulletin

_______________________________________________________

Microsoft CFG

Researchers from the University of Padua discovered a flaw that exists within the Control Flow Guard (CFG) in Microsoft Windows 8.1 and all versions of Windows 10. The CFG is a countermeasure Microsoft implemented to protect Windows-based systems from memory corruption vulnerabilities that exist in some software and is designed to prevent a threat actor from hijacking a program’s control flow and directing it towards malicious code. It is estimated that more than 500 million Windows systems currently have this protection in place. However, the researchers produced an exploit, dubbed Back to the Epilogue (BATE), that calls portions of code and chains them together to bypass CFG restrictions. The researchers have disclosed the vulnerability to Microsoft and plan to demonstrate the exploit at the Black Hat Asia conference in Singapore later this month. The NJCCIC recommends all users and administrators of systems running Windows 8.1 and 10 review the Dark Reading article and apply the appropriate patch when it becomes available.

Reprinted from the NJCCIC Bulletin
______________________________________________________

Compromised MailChimp Accounts Exploited in Malware Distribution Campaign

Several recent open source reports indicate that a malicious email campaign attempting to deliver the Gootkit banking trojan to victims is originating from MailChimp, an email marketing platform. My Online Security suggests that MailChimp is an attractive distribution vector for these campaigns because emails originating from the platform pass authentication checks and many mail providers whitelist MailChimp by default as it is commonly used by various organizations to send legitimate mass emails. One victim reports that a malicious actor gained unauthorized access to his MailChimp account and imported a list of 250,000 subscribers, spamming them with malicious emails and subsequently deleting the evidence from the account’s “Sent” folder. He believes that, had he enabled two-factor authentication (2FA) on his MailChimp account, the compromise may have been prevented. It is not yet confirmed whether compromised account credentials or an unaddressed MailChimp vulnerability are to blame for the unauthorized account access.The NJCCIC recommends all MailChimp account users enable 2FA on their accounts as soon as possible and inspect their accounts for suspicious activity. If any accounts are suspected of sending malicious emails, report the issue to the MailChimp Abuse Desk immediately.

Reprinted from the NJCCIC Bulletin
______________________________________________________

Cyber Tip: How to Build Strong Passwords

Passwords are critical gateways to your company’s databases and networks. But they’re also potential open doors for hackers. Up there with “password” and “qwerty” in the Hack Me Hall of Fame are passwords that are short common terms like team names, dog breeds, dates and other easy-to-guess options. They’re risky on two fronts, according to the Federal Trade Commission. First, an up-to-no-good insider will take one look at the screensaver of an employee's adorable sheepdog Ralphie and immediately try “sheepdog” and “Ralphie.” Second, common words are particularly susceptible to dictionary attacks, the tech equivalent of the million monkeys at a million typewriters that systematically try every conceivable word until they hit pay dirt. When creating passwords, remind your employees to skip those obvious choices. This is one time when good spelling can lead to bad results.

Longer passwords are better, of course, but they can be harder to remember. So how can businesses balance security and practicality? The FTC suggests considering the passphrase as an alternative. Hackers aren’t likely to guess a nonsense word like “iwtraranaped,” but the guy in the next office who plays in a Kiss cover band on weekends will instantly remember “I want to rock and roll all night and party every day.” Careful companies layer in mandatory numbers, symbols, or cases, making “iW2r+ran+ped!” an even stronger option. If your business requires employees to change passwords periodically, the Ace Frehley wannabe can simply move on to the next line of the song.

Here are some tips on building strong passwords.

A Strong Password Should:

  • be at least 8 characters in length
  • contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z)
  • have at least one numerical characters (e.g. 0-9)
  • have at least one special character (e.g. ~ ! @ # $ % ^ & * ( ) - _ + =)

A Strong Password Should Not:

  • spell a word or series of words that can be found in a standard dictionary
  • spell a word with a number added to the beginning and/or the end
  • be based on any personal information such as family name, pet, birthday, etc.
  • be based on a keyboard pattern (e.g. qwerty) or duplicate characters (e.g. aabbccdd)

The following are vital suggestions for using passwords

  • Do not share your password with anyone for any reason.
  • Change your passwords periodically—at least every three months.
  • Do not write your password down or store in an insecure manner. Never store a password in an unencrypted electronic file or use the "save my password" feature on websites for important passwords.
  • Do not use automatic logon functionality on websites or devices.
  • Avoid reusing a password.
  • Avoid using the same password for multiple accounts or sites.
  • If you have an in-home Internet router, change the default password. Each router has a basic default username and password combination. This makes it easier for hackers to break into your network.

______________________________________________________

7 Tips to Enhance Cybersecurity Awareness in Your Organization

March 8, 2018

By Blaise Wabo

A recent study has shown that the average size of a data breach has increased 1.8 percent to more than 24,000 records since 2016. It is now more important than ever to implement preventative measures to help mitigate the risk of cyber attacks and train employees on cybersecurity best practices.

The weakest link is often not the technology itself, but the users who can unknowingly cause a security incident through events such as opening a phishing email or allowing a visitor on-site without checking their access. Due to these risks, organizations must invest in their employees by teaching them how to prepare for, prevent and respond to these risks as they arise. Here are seven tips for enhancing and educating your employees on cybersecurity awareness.

1. Education from the Top Down

This is number one for a reason. Individuals in management may think that because they have an incredible IT Security Director at the helm, their duties regarding risk mitigation are fully out of their hands. However, ensuring that management and employees fully understand the potential cybersecurity risks innate to your organization is important in preventing attacks.

The development of policies and procedures on how to prevent data breaches is essential, and educating employees both new and old on these policies and procedures is critical. Because the cybersecurity landscape is constantly changing, regularly educating management and employees on updated cybersecurity policies and procedures is important in mitigating risk. In addition, your organization should inform employees on new scams or potential new risks as they arise—for example, new phishing scams or websites with potential vulnerabilities.

2. Social Engineering and Phishing Scams

Typically, there are a few details that can indicate that an email or website may not be coming from a legitimate source. These tells include poor spelling and grammar, abnormal sender, and unfamiliar URLs. Also, abnormal requests such as an unanticipated account verification can also indicate that an email is part of a phishing scam. Verify the source before making a click.

3. Change Your Passwords Periodically

Do you use the same password across all of your accounts and devices? In the event your account is compromised, utilizing the same password across platforms makes it easy for hackers to access your information. Additionally, not changing password defaults immediately is a serious vulnerability that can compromise your system if not changed, as they tend to be the same across all systems and accounts. This lack of oversight can damage the security of a system. 

New rules for creating passwords were announced by the National Institute for Standards and Technology (NIST), which include having a password between 8-64 characters long, and using longer phrases that are easier to remember. Furthermore, you can implement two-factor authentication. This will provide a secondary form of authentication outside of your typical password, which will strengthen your security.

4. Verify Sites

Before conducting any activity on a site, users need to make sure that the site is secure. You can check to see if the site is using a secure certificate and employing SSL (Secure Socket Layer) to secure your data in transit. This can often be done by looking at the address bar in your internet browser. Google Chrome users can often see a little lock that will show whether a site is using SSL by displaying a green lock to the left of the web address. Look for the lock!

5. Disable Automatic Wi-Fi and Bluetooth Connection

When you are in public, your phone and computer can automatically connect to an unsecured WiFi or mobile hotspot. In addition, it might connect to other devices through your Bluetooth capability. Be sure to disable this auto-connection feature on your phone to ensure you are safeguarding your personal information and to keep hackers at bay.

6. Always Secure Your Devices

Your device, whether it’s your computer, tablet, or phone, contains valuable, sensitive information. It’s important to always lock your device when you are away from it, to prevent hackers from having access. Additionally, implementing two-factor authentication (as noted in tip three) will increase the security of your devices when you are away.

7. Be Conscientious about What You Are Sharing

This might be an obvious one, but people tend to share sensitive information without realizing it. A hacker can use information like your birthday, address, where you work, and even pictures of your family to compromise your account. Consequently, the more information a hacker has on you, the easier it is for them to steal your identity.

Making Sense of the Information Security Tips

Managing cyber-risk is a multi-faceted, organization wide effort that requires implementation at the top levels down. With these seven information security tips in mind, you can protect your personal information and identity to prevent a data breach from occurring in your organization. For more information regarding cybersecurity and data protection, review The Ultimate Cyber Defense Guide to educate employees on the data breach landscape and cybersecurity best practices.

Blaise Wabo is a managing consultant at A-LIGN, which focuses on performing SSAE 16, SOC 2 and ALTA Best Practices certifications in the title insurance and settlement industry. He can be reached at blaise.wabo@a-lign.com or 888-702-5446 x129

______________________________________________________

Closing Attorney Scams: Avoiding Fraudulent Wire Transfers

As we move into the busy spring real estate cycle, criminals are targeting real estate agents and closing attorneys with increasing frequency. The scam begins with what appears to be a legitimate email from a party involved in a real estate transaction with the anticipated wire transfer instructions. The email is sent from a buyer's real estate agent with instructions on where the buyer should send a down payment, or from seller's counsel to the closing attorney. What you don't know is that a criminal has been broken into the email of the realtor, watched email traffic and sent an instruction to wire the funds to their account rather than the valid account. Once the funds are wired, the thief tests the transaction via a transfer to another bank or an over-the-counter withdrawal that is typically under the $10,000... 

Click here to learn more

______________________________________________________

Mobile bankers beware: Sophisticated hacks soar

Moneywatch: Kathy Kristof

If you bank by phone, you better be careful. Malicious mobile-banking software aimed at taking over consumer bank accounts has threatened up to 10 percent of consumer cell phones, security experts warn. Worse, the software is so sophisticated that it can easily trick even savvy consumers into divulging their banking credentials to the crooks.

"When it is installed on a device, it will display overlays that are legitimate-looking screens that prompt you to log into your bank account," said Michael Flossman, head of threat intelligence at Lookout, a mobile security service. "And the software knows to wait to serve that screen until you are trying to legitimately contact your bank."

Lookout analyzed 30,000 mobile devices with one or more major banking apps installed. The mobile threat histories of these devices... 

Click here to learn more

______________________________________________________

Report: Cybercrime May Have Cost 0.8 Percent of 2016 Global GDP

Russia, North Korea and Iran named as top perpetrators of cybercrime

Theft of personal data, loss of intellectual property and opportunity costs stemming from these and other cybercrimes in 2016 may have cost the global economy 0.8 percent — or as much as $600 billion — according to a report released Wednesday.

The growing spread of computer connectivity, easy availability of malware and the ability to monetize stolen information is leading to an explosion in cybercrime, according to the report, titled Economic Impact of Cybercrime. It was prepared by the Center for Strategic and International Studies, a...

Click here to learn more

______________________________________________________

Microsoft Outlook Web Access Phishing Campaign Targets NJ Employees

The NJCCIC continues to observe a phishing campaign impacting New Jersey agencies that is crafted to obtain Microsoft Outlook Web Access (OWA) account credentials. As OWA is a common platform used by businesses and organizations to grant remote webmail access to employees, comprised credentials could pose a significant risk to network security. This campaign delivers unsolicited emails with an embedded URL that redirects users to a fraudulent OWA login page. Once a user enters their credentials into the phishing website, they are redirected to the legitimate Microsoft OWA page and prompted to log in again. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Extortion Email Scam Targets NJ Residents

The NJCCIC has detected a malicious email campaign threatening to encrypt all files on the recipient’s device if $139 worth of Bitcoin is not sent to the perpetrator of the campaign within the allotted timeframe. Emails associated with this campaign inform the recipient that they have accidentally downloaded malware and they have twenty-five hours to pay the attacker before encryption will take place. Subject lines include random text such as “You should hurry up,” “Your happiness depends,” and “I collected very interesting content,” and are sent from email addresses including:

community[@]korrumpedia[.]org, finance[@]korrumpedia[.]org, careers[@]korrumpedia[.]org, employment[@]korrumpedia[.]org 

The body of the email includes the following text:

Good evening…You have loaded my deleterious software by accident. The deleterious software encrypts your data with Advanced Encryption Standard. Following encoding this virus may freeze your system without potential to rescue drives. Reserve copy will cause the freezing. Clearly that its a ransomware. In case if you would like to keep your drives and files pay me 139 dollars in btc(cryptocurrensy). I take solely full sum. After payment I will share with you manual which will help you to destroy my ransomware.

It is important to note that, if you have received this type of email, it is not an indication that you have been infected with ransomware or any other malware variant. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them to be wary of unsolicited emails, especially those that create a sense of urgency.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Indiscriminate Wi-Fi Router Exploit Campaigns

With broadband internet access now a staple for the vast majority of homes and businesses in NJ, the Wi-Fi routers that connect them to the internet have become prime targets for cybercriminals. The NJCCIC continues to detect credential exploit attempts indiscriminately targeting internet addresses throughout the state in an effort to compromise vulnerable routers. The majority of this activity appears to be directed at ASUS and Netis/Netcore routers, which are easily accessed by unauthorized users through the exploitation of a hard-coded credential vulnerability. The NJCCIC recommends users change the default passwords to all internet-connected devices, including routers, patch and update the firmware if possible, and consider decommissioning the use of devices that have permanent, hard-coded vulnerabilities that cannot or will not be patched by the vendor or manufacturer.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Breach Notification

Kromtech security researchers discovered an Amazon S3 bucket set for public access originally belonging to Bongo International, a company that was bought by FedEx in 2014. The exposed bucket contained drivers' licenses, national ID cards, work ID cards, voting cards, utility bills, resumes, vehicle registration forms, medical insurance cards, firearms licenses, US military identification cards, and credit cards that customers used to verify their identity with the FedEx division. Kromtech contacted ZDNet reporter, Zack Whittaker, who was able to get the bucket secured and removed from public access. The NJCCIC recommends administrators of Amazon S3 storage buckets review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the recommended mitigation strategies provided as soon as possible. Bongo International and FedEx customers whose information may have been exposed should closely monitor their financial banking statements and consider placing a security freeze on their credit files by contacting the three major credit bureaus.

 

Reprinted from the NJCCIC Bulletin

_______________________________________________________

Spam Campaign Delivers Password-Stealing Malware

Researchers with Trustwave recently detected an email spam campaign that delivers a password stealing malware to end users via a PowerShell script. The infection takes place in a multi-stage process that initiates when users open a .DOCX file which, in turn, downloads a remote rich text file (RTF) document that exploits the Microsoft Equation Editor tool (CVE-2017-11882). This malware targets email, FTP, and browser client credentials. Subject lines associated with this email campaign include “SWIFT COPY FOR BALANCE PAYMENT,” “Telex Transfer Notification,” “Request for Quotation (RFQ),” and “TNT STATEMENT OF ACCOUNT.” The NJCCIC recommends users and administrators keep their Windows OS and Microsoft Office software updated and scan their environments for the Indicators of Compromise (IoCs) provided in Trustwave’s report.

Reprinted from the NJCCIC Bulletin

_______________________________________________________

IRS Email Scam Distributes Rapid Ransomware

Emails masquerading as official correspondence from the Internal Revenue Service (IRS) are attempting to deliver a new variant of Rapid Ransomware to unsuspecting victims. According to My Online Security, emails associated with this campaign have subject lines such as “Please Note - IRS Urgent Message-164” and notify users in the body of the email that they are overdue on their real estate taxes by several months. Recipients are instructed to review a comprehensive report contained within an attached ZIP file, labeled Notification-[number].zip. Instead of containing the report, the ZIP file contains a Word document with embedded malicious macros. If these macros are enabled, they will download Rapid Ransomware on to the system. This variant appends .rapid to the names of encrypted files and opens several ransom notes in Notepad labeled recovery.txt. The NJCCIC strongly recommends users avoid enabling macros unless they are aware of a specific reason why a document requires macros to run, and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails.

Reprinted from the NJCCIC Bulletin

 

______________________________________________________

Threat Alerts

Internet Crime Complaint Center Impersonation Campaign

The FBI has released an alert warning citizens of a scam campaign impersonating the Internet Crime Complaint Center (IC3), a website operated by the FBI Cyber Division that allows individuals to submit cybercrime-related tips and information. The agency became aware of the campaign after receiving a number of complaints from victims who received emails masquerading as legitimate IC3 communications. These emails claimed that recipients were due restitution as a result of having been a victim of cybercrime and offered to pay them in exchange for additional personal information. The FBI has also identified at least one fraudulent IC3 social media page that may be associated with this campaign. The NJCCIC recommends reviewing FBI Alert I-020118-PSA and maintaining awareness of this and similar scams. To submit a tip or complaint to the IC3, we recommend visiting the FBI’s IC3 website directly at www.ic3.gov and refrain from submitting personal information via email or social media platforms.

Reprinted from the NJCCIC Bulletin

_______________________________________________________

Emotet Campaign Uses Invoice-Themed Emails 
to Target New Jersey Employees

The NJCCIC has detected an increase in emails attempting to deliver the Emotet banking trojan to unsuspecting New Jersey victims. Additionally, the NJCCIC has received reports from members who have also been targeted with Emotet, indicating the campaigns’ pervasiveness. These emails often reference a nondescript invoice or overdue payment in the subject and body, and contain a link that leads to a Microsoft Word document hosted on a remote server. If recipients open the document and enable the macros, a PowerShell script will run and install Emotet onto their systems. According to Proofpoint, Emotet has been observed loading Dridex, Qbot, Gootkit, and IcedID onto infected systems. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. If an Emotet infection is strongly suspected but your antivirus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Spam Campaigns Distributing Malicious Links Hidden Behind URL Shorteners

The NJCCIC has detected several spam email campaigns over the past week using popular URL shortening services to embed malicious links within the body of the emails. If clicked, these shortened URLs redirect the user to phishing sites designed to steal login credentials and to websites used to conduct click-fraud. Common URL shorteners used in these campaigns include tiny.cc, bit.ly, ow.ly, goo.gl, and t.co. Although there are legitimate uses for URL shortening services, particularly on websites that impose character limitations on content generated by their users, the NJCCIC strongly recommends users refrain from clicking on links obscured by URL shorteners as the true destination of the embedded link is not revealed until after the user has been redirected to the landing page. This potentially exposes users to compromised websites that contain malware or phishing sites designed to steal account credentials and other sensitive information. If users must click on links obscured by URL shorteners, we recommend using an online URL expanding service to verify the destination of the link.

Reprinted from the NJCCIC Bulletin

______________________________________________________

5 Skills Cybersecurity Pros Will Need in 2018 

By on

Cybercrime has never been so common and it’s now easier than ever for criminals to launch attacks. As a result of easy-to-use hacking tools, novices without programming experience can perform potentially devastating hacks.

In response to the growing demand for cybersecurity and to protect against increasingly complex attacks, security skills are in high demand. According to data from the Bureau of Labor Statistics, cybersecurity professionals earn an average salary of $116,000—nearly three times the national average.

In response to the rapidly evolving cybersecurity landscape, professionals must keep their skills sharp. These are 5 skills that cybersecurity professionals should consider investing in for 2018.

1. Cloud Security

Cloud computing has transformed the way organizations... 

Click here for more information

______________________________________________________

Avoiding Fraud: Key Practices in Real Estate

 By Suzanne De Vita
RISMedia

Did you know it can take cyber criminals one day to decipher an eight-character password? Did you know it can take them 591 days to figure out a 10-character one?

“It is a crime for anyone to exceed their authorized access to a computer or computer network or system,” explained Martin Hellmer, a supervisory special agent for the FBI, in a recent Realty Executives webinar on wire fraud. “It can be as simple as someone gaining access to someone’s email account because they’ve learned their password, to someone hacking into your computer from the other side of the world.”

Whether by compromised data, cracked passwords or phishing, real estate is a target. More and more, homebuyers and sellers—and the practitioners who serve them—are reporting theft via wire fraud, in which criminals access emails, learn of a pending transaction, and then message phony wiring instructions to victims. The funds, generally, are irretrievable once sent.

Bogus DocuSign emails, emails with illegitimate referrals and ransomware...

Click here for more information

______________________________________________________

Phishing Campaign Targets DocuSign Account Credentials

The NJCCIC has detected a phishing campaign impacting New Jersey residents and crafted to obtain DocuSign login credentials. DocuSign is a service used by organizations to share, distribute, and electronically sign important documents. Commonly used in real estate transactions, compromised DocuSign credentials could pose a significant risk to both personal and financial security. This campaign delivers unsolicited emails with an embedded URL that redirects users to a fraudulent DocuSign login page. As DocuSign requires an email address to log in, threat actors can easily expand the scope of their attack if a user shares the same password across multiple accounts. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

 

Reprinted from the NJCCIC Bulletin
______________________________________________________

W-2 Business Email Compromise Scam Targeting New Jersey Organizations

The NJCCIC has received a report indicating that a New Jersey organization was recently targeted in a W-2 Business Email Compromise (BEC) scam. In this scam, a malicious actor poses as a known administrator or senior official within the organization and sends a targeted email to another employee – usually within the human resources or finance departments – and issues an urgent request for all of the organization’s W-2 information. If the employee obliges and sends the email containing the W-2 information, the malicious actor then uses that sensitive data to commit identity theft, tax return fraud, or generate profit by selling it on the black market. Perpetrators of W-2 scams may use a compromised employee email account or may spoof an employee email account using an external email provider to try and appear legitimate. The NJCCIC strongly recommends all organizations educate their employees on how to identify social engineering schemes to prevent them from taking action on these scams. We also recommend organizations have a clear policy and procedure in place to handle requests for sensitive information and financial transactions designed to thwart these types of scams. Make sure any requests for sensitive information or financial transactions require the authorization and approval of more than just the sender and recipient of the request. If an employee within your organization falls victim to a W-2 or other BEC scam, alert your local law enforcement immediately and please submit a report to the NJCCIC via the Cyber Incident Report form on our website.

Reprinted from the NJCCIC Bulletin

______________________________________________________

NJCCIC Announcement/Tax Identity Theft
Awareness Week

Tax Identity Theft Awareness Week is a campaign run by the Federal Trade Commission (FTC) from January 29 to February 2 to spread awareness of tax-related identity theft and IRS imposter scams. The FTC, IRS, Department of Veteran Affairs, and others are hosting various events throughout the week to educate the public on these threats.

Tax identity theft remains one of the top scams listed on the IRS “Dirty Dozen” list and, although safeguards put in place by the agency in 2016 did reduce the number of fraudulent tax returns processed last year, large-scale data breaches that exposed hundreds of millions of American’s personal and financial information have drastically increased the risk that identity theft and tax fraud will occur in 2018. Tax return preparer fraud also remains a concern as dishonest preparers often surface this time of year to target unsuspecting victims and use their personal information to conduct tax refund fraud and identity theft.

Here are the best ways to avoid tax identity theft:

  • File your tax return as early as possible.
  • Use a secure internet connection to file electronically, or mail your tax return directly at the post office.
  • Never respond to emails, texts, or social media communications claiming to be from the IRS. The IRS will only contact you by mail.Report any suspicious or unsolicited emails claiming to be sent from the IRS to phishing@irs.gov.
  • Never provide personal information to anyone purporting to be an IRS representative who contacts you via an unsolicited telephone call. Instead record the caller's name, badge number and a call back number. Hang up and then contact the IRS at 1-800-366-4484 to determine if the caller is an IRS employee with a legitimate need to contact you.Also, remember that the IRS will never call demanding immediate payment of taxes owed or a specific method of payment, such as a prepaid debit card, gift card, or wire transfer.
  • Monitor your credit report to verify there is no unauthorized activity.
  • Enroll in the IRS Identity Protection Pin (IP PIN) program to obtain a 6-digit pin.

Organization payroll and human resources departments must remain vigilant in safeguarding employee tax records. Cybercriminals target HR and payroll departments using various social engineering schemes designed to trick them into believing upper management has made an urgent request for employee W-2 forms. Because these schemes are often very sophisticated and convincing, many targets act on the request quickly without taking additional steps to verify the source. Payroll and HR officials should be wary of any requests for employee W-2 forms or Social Security numbers and security procedures should be implemented that require the written approval of multiple people before a request for personal information is fulfilled. The following are additional IRS tips for protecting yourself against potential tax identity theft:

  • IR-2017-193: Online Security - Seven Steps for Safety
  • IR-2017-194: Don’t Take the Bait; Avoid Phishing Emails by Data Thieves
  • IR-2017-196: Victims of Data Breaches Should Consider These Steps
  • IR-2017-197: Employers, Payroll Officials, Avoid the W-2 Email Scam
  • IR-2017-198: Small Businesses: Be Alert to Identity Theft
  • IR-2017-211: Get Ready for Taxes: Choosing a Tax Return Preparer?
  • IR-2017-203: IRS Warns Taxpayers, Tax Pros of New Email Scam Targeting Hotmail Users

The NJCCIC encourages all members to visit the FTC’s Tax Identity Theft Awareness Week webpageto learn more about tax-related identity theft.

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions. Also, for more background on our recent cybersecurity efforts please visit cyber.nj.gov.

Reprinted from the NJCCIC Bulletin
______________________________________________________

Ransomware was most popular cyber crime tool in 2017

Detections of ransomware increased by more than 90% last year compared with 2016

ComputerWeekly.com
Warwick Ashford
January 25, 2018

Ransomware attacks on business increased by 90% in 2017, while attacks on consumers leapt by 93%, according to the latest annual state of malware report by security firm Malwarebytes.

The monthly rate of ransomware attacks was up to 10 times more than in 2016, with September 2017 having the largest volume of ransomware attacks against businesses ever documented.

In the UK, ransomware attacks peaked in May 2017. Overall attacks have increased at an unprecedented pace, with UK businesses and consumers...

Click here for more information

______________________________________________________

Previously Reported Zyklon Campaign Targets New Jersey Users

Last week, the NJCCIC reported on a malicious email campaign observed by FireEye researchers attempting to deliver the Zyklon malware variant to victims. The NJCCIC has detected a similar campaign in which the emails contain a Microsoft Word or Excel attachment with macros that, if enabled, download several malware variants, including Zyklon, FormBook, LokiBot, and a commercially-available keylogger known as AgentTesla. These variants are used to steal credentials and sensitive information, install additional malware, and add infected devices to a botnet that could conduct denial-of-service (DoS) attacks against other targets. The NJCCIC recommends users and administrators review the corresponding NJCCIC threat profiles on the aforementioned malware variants as well as the FireEye report for additional technical details on Zyklon, including associated Indicators of Compromise (IoCs). Users and administrators are advised to scan their networks for the Zyklon IoCs provided and, if you encounter an affected system, isolate it from the network immediately and thoroughly clean or reimage the system’s hard drive before recommissioning it.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Google Drive Phishing Campaign

The NJCCIC has detected a phishing campaign targeting New Jersey email users and crafted to obtain various email account login credentials. This campaign attempts to convince recipients that they received a document stored on Google’s cloud storage service, Google Drive, and invites them to click an embedded link. If clicked, the link redirects the user to a file stored on Google Drive (Figure 1). This file includes the text, “You’ve received a secured doc via Microsoft office, click on the view pdf online below to access the document, “ and features the Microsoft Office logo, a PDF icon, and a link embedded in the text “REVIEW DOCUMENT.” The embedded link leads to a phishing page designed to collect various account credentials including Google, Outlook, and Yahoo! (Figure 2). If any options are selected, a pop-up window appears, requesting the victim’s email address, phone number, and password to sign into their account (Figure 3). Any information entered into the fields will be transmitted to the hackers behind the campaign. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. We also recommend closely examining the URL field of your web browser before attempting to sign into any account to ensure you are visiting a legitimate website.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Sounding the alarm: Mortgage wire fraud is a much bigger threat than you realize

If you think mortgage wire fraud is a problem only for vendors, think again

Fraud is one of those issues that we don’t like to think about in the mortgage industry.  Yet it always seems to be there, lingering on the fringe of our focus. From time to time, the topic bubbles up in the news or at a convention.  We talk about it a bit, giving it the proverbial “15 minutes of fame.” But rarely are we forced to drastically alter the way we do business or invest large amounts into protecting ourselves from it. Inevitably, it seems a vendor comes along with a new technology, and the fraud (or, at least, the coverage of it) goes away. Or our service providers tweak the way they operate.  At the very least, the issue always seems to go away to the extent that we can return our full attention to emerging markets, new loan products and sales strategies.

That’s about to change.

The latest mortgage fraud to affect the mortgage industry is being called wire fraud or down payment wire fraud. Each case tends to involve a combination of email hacking, identity fraud and wire fraud.  A scammer...

Click here for more information

January 23, 2018
Joseph Murin of Housingwire

______________________________________________________

AI may be a new weapon against spear phishing attacks 

by Asaf Cidon On Jan 22, 2018  

Cybercriminals are infamous for launching pervasive attacks, targeting a maximum number of people, victimizing anybody that takes the bait. Virtually everyone knows these attacks well, having received emails from an overseas banker or a widow of a wealthy oil tycoon offering a ridiculous amount of cash for something small in return from you. The creative examples of phishing attacks are endless, even health medications swearing to offer the fountain of youth or rejuvenating your love life for free in exchange for providing a credit card number.

There is a different form of cybercriminal that takes an “enterprise approach” to getting 

Click here for more information 

______________________________________________________

Three Steps to Preventing Wire Fraud

It’s your worst nightmare as a buyer: one minute, everything is a go for purchasing the house of your dreams and the next, the entire down payment is gone with little hope in getting it back. This nightmare, known as wire fraud, has happened across the country to buyers who have fallen prey to a phishing scam resulting in losses of hundreds of millions dollars with devastating results for those in the process of purchasing a home.

The way this scam works is hackers target email and other accounts with messages relating to real estate activities, collecting contacts/email address of those in the process of buying a property. The scammer then spoofs an email to the buyer, often pretending to be an agent, title company, etc., directing them on where to wire their down payment. For those unfortunate buyers...

Click here for more information

_______________________________________________________

Phishing Campaign Targets Online Banking Credentials

The NJCCIC has detected a recent uptick in phishing campaigns targeting online banking credentials of New Jersey residents. These campaigns distribute unsolicited emails that mimic official correspondence from a legitimate financial institution. Instead of links to legitimate online banking portals, these emails direct users to phishing websites that spoof the institution’s authentic site. If recipients enter their account’s login credentials into the phishing site, their personal information will be transmitted to the hackers behind the campaign and they will be redirected to the legitimate company’s login page. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Microsoft Outlook Web Access and 
Amazon Credential Phishing Campaigns

The NJCCIC has detected two phishing campaigns impacting New Jersey residents crafted to obtain account login credentials for Microsoft Outlook Web Access (OWA) and Amazon accounts. These campaigns deliver unsolicited emails with an embedded URL that redirects users to a malicious phishing website designed to look like either the legitimate OWA or Amazon login page. Once a user enters their credentials into the phishing website, they are redirected to the legitimate website pages that prompt them to log in again. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.  

Reprinted from the NJCCIC Bulletin

______________________________________________________

IRS Scam Calls Combined with Swatting Tactics

The NJCCIC is warning members of a new IRS scam call campaign targeting New Jersey residents that employs swatting tactics. In this campaign, the caller pretends to be an IRS representative and tries to convince the victim that he or she owes tax money, demanding immediate payment via a prepaid debit or gift card. If the victim refuses to pay, the caller threatens to send the police to his or her home. If the victim ends the call without paying, the caller spoofs the victim’s phone number and uses it to contact law enforcement and make a false report of an ongoing emergency or threat of violence at the victim’s residence to prompt an immediate tactical law enforcement response. Although this type of threat cannot completely be prevented, the NJCCIC recommends recipients of these types of calls alert their local law enforcement immediately if a swatting threat is made against them. If law enforcement does arrive at your location as a result of a swatting call, it is important to remain calm and follow their orders, keeping your hands empty and visible, until the situation can be clarified. We never recommend paying the scammer to prevent a swatting incident as this will only serve to perpetuate the crime. To learn how to reduce the amount of scam calls you receive, please review the NJCCIC Cyber Blog titled Tired of Receiving Scam Calls? Don’t Just Sit There. Do Something About It.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Netis/Netcore WiFi Router Exploit Campaigns

The NJCCIC has detected an uptick in credential exploit attempts targeting internet addresses throughout NJ in an effort to compromise vulnerable routers. The majority of this activity appears to be targeted at Netis/Netcore routers, which can be easily accessed by unauthorized users through the exploitation of a hard-coded credential vulnerability. Cybersecurity firms Fortinet and ESET both published reports in October of last year highlighting the risks posed by home router vulnerabilities. The NJCCIC recommends users change the default passwords to all internet-connected devices, including routers, patch and update the firmware if possible, and consider decommissioning the use of devices that have permanent, hard-coded vulnerabilities that cannot or will not be patched by the vendor or manufacturer.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Malicious Email Campaigns Continue to Distribute Emotet

The NJCCIC continues to observe a heavy volume of emails attempting to deliver the Emotet banking trojan to unsuspecting victims. These emails, which often reference a nondescript invoice or overdue payment in the subject and body, contain a link that leads to a Microsoft Word document hosted on a remote server. If recipients open the document and enable the macros, a PowerShell script will run and install Emotet onto their systems. According to Proofpoint, Emotet has been observed loading Dridex, Qbot, Gootkit, and IcedID onto infected systems. According to Bromium, newer samples of Emotet appear to contain polymorphic features and are capable of evading signature-based detection. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. If an Emotet infection is strongly suspected but your antivirus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Malicious Email Campaigns Continue to Distribute Emotet

The NJCCIC continues to observe a heavy volume of emails attempting to deliver the Emotet banking trojan to unsuspecting victims. These emails, which often reference a nondescript invoice or overdue payment in the subject and body, contain a link that leads to a Microsoft Word document hosted on a remote server. If recipients open the document and enable the macros, a PowerShell script will run and install Emotet onto their systems. According to Proofpoint, Emotet has been observed loading Dridex, Qbot, Gootkit, and IcedID onto infected systems. According to Bromium, newer samples of Emotet appear to contain polymorphic features and are capable of evading signature-based detection. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. If an Emotet infection is strongly suspected but your antivirus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

First-time homebuyer out more than $36,000 in spear phishing scam

Scammers spoofed email addresses of woman's realtor, loan officer

By Dillon Collier - Investigative Reporter , Sara Donchey - Anchor/Reporter 

HOUSTON - (KSAT) -- A Texas woman lost more than $36,000 this fall after scammers used an elaborate email spoofing technique called 'spear phishing' to convince her to wire the down payment and closing costs for a home to a different bank account.

Jaime Leeper, a first-time homebuyer, discovered the criminal activity while doing the final walkthrough for a recently-purchased garden home.

 "I overheard them say 'Wells Fargo account' and I interjected and I said 'No, you told me to send it to Bank of America.' And they said 'No, it was Wells Fargo,'" Leeper said.

A closer inspection of emails leading...

Click here for more information

______________________________________________________

San Antonio mom warns others after losing $25,000 in wire fraud scheme

SAN ANTONIO - Born one day apart, Jayna Gibbs and her husband fell in love and got married at 28. But this last summer her husband died suddenly and unexpectedly, leaving her and their two daughters distraught.

Family and friends gifted Gibbs $25,000 dollars following her husband's death. She planned to use the money as a down payment on her new home.

"Losing him, my best friend, was hard anyway, and then people gave this money in his honor and memory...

Click here for more information

______________________________________________________

Identity and Wire Fraud Are a Problem the Industry Cannot Ignore

Fraud is not a new topic for the mortgage industry. But our familiarity with it has, perhaps, dulled our vigilance when it comes to a massive new threat. Wire fraud—perhaps more accurately called identity fraud—has exploded recently, both in frequency and complexity. It is no understatement to say that we, as an industry, are woefully unprepared for it. Worst of all, many of us don’t even acknowledge wire fraud as a top concern. If this describes you or your business, please consider... 

Click here for more information

Reprinted from MReport

______________________________________________________

Phishing Campaign Targets Office 365 Account Credentials

NJCCIC
December 14, 2017

The NJCCIC has been alerted to a phishing campaign attempting to steal Office 365 account credentials. Emails related to this attack may display subject lines including “Account Notification” or “Patch Alert” and contain a URL link or HTML attachment that redirects users to a fraudulent Office 365 login page. Once account credentials are entered into the phishing website, victims are redirected to an authentic Office 365 website with a message indicating that the initial login attempt was unsuccessful. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials, particularly those for sensitive accounts such as corporate and personal email and online banking. Instead, visit the account’s associated website by typing the legitimate address directly into the URL field of your web browser.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Vulnerability Alert 

Keylogger Found in HP Laptops

In the furtherance of public-private partnerships, this NJCCIC Cyber Alert is being provided in order to assist our members in guarding against network vulnerabilities and the actions of persistent malicious cyber criminals.

Overview
The NJCCIC has been alerted to a potential security vulnerability that exists within more than 460 models of HP laptops including the EliteBook, ProBook, Pavilion, and Envy models.

Threat
A security researcher recently published findings regarding his discovery of keylogging code embedded in the Synaptics touchpad driver that was preinstalled in over 460 models of HP laptops. Although the keylogger component is disabled by default, a local or remote attacker with administrative privileges could enable it to record any keystrokes performed on the affected device. In a security bulletin, HP stated that this vulnerability “impacts all Synaptics OEM partners.”

For more information on this vulnerability, please refer to the following open source articles:

Reporting
The NJCCIC has not received any reports of threat actors attempting to exploit this vulnerability within New Jersey organizations or sectors; however, all affected HP laptop users should take action and apply the most recent HP patch immediately. If your organization experiences or suspects attacks attempting to exploit this vulnerability, please report the incident to the NJCCIC via the  Cyber Incident Report  form on our website.

Recommendations
Visit the HP Customer Report website to determine if your HP laptop is affected and, if so, update with the available corresponding patch immediately.

 

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.  Also, for more background on our recent cybersecurity efforts please visit cyber.nj.gov

_______________________________________________________

Ursnif Banking Trojan Detected in Malicious Email Campaign

NJCCIC
December 14, 2017

The NJCCIC has observed a malicious campaign attempting to deliver emails containing the Ursnif banking trojan to state email accounts. These emails are being distributed with malicious attachments that often include “request.doc” in the name. When the document is opened, an Office365 or Microsoft Word notice is displayed requesting the user to “Enable Content” to allow macros to run. If the user enables the malicious content, the Ursnif trojan will then download and install onto the user’s system via PowerShell. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Profit-Motivated Hackers Continue to Target Real Estate Transactions

NJCCIC
November 2, 2017
Threat Alert

The NJCCIC continues to receive reports from members involved in real estate transactions – including agents, lawyers, title agencies, and buyers – detailing incidents in which they were targets of profit-motivated hackers who attempted to defraud them out of thousands of dollars. These schemes are perpetuated in a couple of ways. In some instances, hackers target and gain access to the email accounts of real estate agents, title agency representatives, paralegals, or homebuyers through the use of compromised account credentials and use them to send convincing emails to targeted victims. In other cases, hackers impersonate a known real estate agent or title agent by spoofing their email addresses and sending financial requests associated with a specific transaction to homebuyers. The subject and body of these emails will often portray a sense of urgency in an attempt to have targets immediately wire money before they have an opportunity to fully review the email’s content and question its legitimacy. In addition to reports the NJCCIC has received, NJ.com recently reported a similar incident in which a compromised email account led to the loss of over $91,000. In most cases, these scams are relatively simple for the criminals to conduct, but the consequences can be devastating. The NJCCIC recommends homebuyers and real estate entities educate themselves and others on these malicious tactics and remain vigilant during and immediately after the closing process. We strongly recommend real estate businesses, including real estate attorneys and title agencies, implement new policies aimed at preventing fraudulent wire transfers and other scams. For example, forbid the sharing of wire transfer account information via email and instead utilize video chat applications, phone calls from trusted numbers, or in-person meetings. Additionally, buyers should never trust email as the sole source of instruction for wiring money related to these transactions and instead receive confirmation of these details in person or over the phone.

Reprinted from the NJCCIC Bulletin

_______________________________________________________

BEC: High-Dollar Wire Transfer Scams Extend to Private Citizens

NJCCIC
June 22, 2017
Threat Alert

According to multiple media reports, a New York Supreme Court Justice was defrauded of just over $1 million after responding to an email that was believed to have come from her real estate lawyer. The judge was in the process of selling her apartment and purchasing a new property in New York City when she received an email that purportedly requested funds as a part of those transactions; however, the email was spoofed and the funds were sent to a foreign bank account. While the largest losses from Business Email Compromise (BEC) scams have predominantly impacted businesses and governments organizations, private citizens must be aware of, and remain vigilant against, various email threats intended to defraud them of funds, obtain their credentials to access online banking accounts, or elicit personal information used to commit identity theft. Organizations of all sizes and across industries must also implement guidelines and processes to prevent their employees from falling victim to these scams. Earlier this month, Southern Oregon University reportedly fell for a BEC scam and lost $1.9 million that was earmarked for a construction project. The NJCCIC recommends organizations and private citizens take extra precautions when conducting wire transfers to verify the authenticity of the requestor by first contacting them over the phone to confirm their account details, as well as conducting additional online research on their identity. It is advisable for organizations who regularly conduct wire transfers to implement a multi-step approval process that requires the review of two or three employees before transfers are initiated. Victims of BEC scams who proceed in transferring money to criminals should report that crime to their local law enforcement agency as soon as possible.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Panda Banker Detected in Malicious Email Campaign

The NJCCIC has observed several email campaigns attempting to deliver the Panda Banker trojan to unsuspecting victims. These emails contain a link that leads to a Microsoft Word document named monthly_statement_411985.doc hosted on a remote server. If recipients open the document and enable macros to run, the Hancitor trojan will install onto their system which will then download and install Panda Banker. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Fake Invoices Spread GlobeImposter

Ransomware via Necurs Botnet

The NJCCIC has recently detected a malicious campaign attempting to deliver a high volume of emails containing the GlobeImposter ransomware variant to hundreds of state email accounts. This campaign is being distributed globally via the Necurs botnet, which was previously used to send Locky ransomware to New Jersey residents. The email subject line includes the word “Invoice” and random digits. Attached to the email is a malicious compressed .7z ZIP file that downloads and executes the GlobeImposter ransomware via VBScript. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network immediately to prevent the malware from spreading.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Payroll Phishing Emails Target New Jersey Organizations 

The NJCCIC has received reports of a phishing campaign actively targeting employees of organizations that use ADP as their payroll service provider. This campaign sends emails that masquerade as official ADP notifications and attempt to lure recipients into clicking on an embedded link that leads to a phishing page. This phishing page is a malicious clone of the official ADP website and is designed to capture the login credentials of unsuspecting victims who believe they are logging into the legitimate site. The malicious actor or group behind the campaign then uses the stolen credentials to log into the legitimate ADP website and obtains the account holder’s sensitive information, such as his or her name, address, Social Security number, salary, bank account number, and tax return information. This data can then be used to commit identity theft, tax return fraud, and to reroute payroll funds to a bank account controlled by the actor. If the employee uses the same login credentials for other accounts, such as corporate email and network accounts, the malicious actor could use them to access and compromise the employee’s corporate network as well. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials, particularly those for sensitive accounts such as corporate and personal email, payroll, and online banking. Instead, visit the account’s associated website by typing the legitimate address directly into the URL field of your web browser. If you receive an unexpected or unsolicited email request from a known sender inviting you to click on a link or open an attachment, always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

Reprinted from the NJCCIC Bulletin

______________________________________________________

THREAT ACTORS CONTINUE TO TARGET REAL ESTATE TRANSACTIONS, DEFRAUDING MANY

As previously reported in our March 9  Bulletin, New Jersey residents and businesses involved in real estate transactions, including real estate brokers, attorneys, and title agents, are being targeted by profit-motivated cybercriminals using phishing and social engineering tactics to defraud homebuyers and agents. The NJCCIC has observed a steady increase in reported incidents involving these scams; one homebuyer was recently defrauded out of tens of thousands of dollars. Once a malicious actor has gained access to one party's email account and discovers an ongoing real estate transaction, they often wait for the most opportune time to send an email with fraudulent account details requesting wire transfers for deposits and closing costs. In other instances, threat actors simply create an email address and impersonate a known real estate or title agent. The subject and body of these emails will often portray a sense of urgency in an attempt to have targets immediately wire money before they have an opportunity to fully review the email’s content and question its legitimacy. Scams such as these are likely to increase again next year between April and August, as this is typically the most active time for real estate transactions and agents may be more likely to miss red flags in emails. Agents may also be held liable if a client loses money due this type of scam. In 2016, a title company sued a California real estate broker for $513,000, claiming the agent failed to secure his email account, leading to a fraudulent wire transfer. The NJCCIC recommends homebuyers and real estate entities educate themselves on these malicious tactics and remain vigilant during and immediately after the closing process. We strongly recommend real estate businesses implement new policies aimed at preventing fraudulent wire transfers and other scams. For example, forbid the sharing of wire transfer account information via email and instead utilize video chat applications, phone calls from trusted numbers, or in-person meetings.

Reprinted from the NJCCIC Bulletin

______________________________________________________