Print Page | Contact Us | Report Abuse | Sign In | Register
CyberSecurity
Share |

CYBERSECURITY

 The NJLTA is pleased to present the latest news in cybersecurity.

______________________________________________________

Breach Notification

 Kromtech security researchers discovered an Amazon S3 bucket set for public access originally belonging to Bongo International, a company that was bought by FedEx in 2014. The exposed bucket contained drivers' licenses, national ID cards, work ID cards, voting cards, utility bills, resumes, vehicle registration forms, medical insurance cards, firearms licenses, US military identification cards, and credit cards that customers used to verify their identity with the FedEx division. Kromtech contacted ZDNet reporter, Zack Whittaker, who was able to get the bucket secured and removed from public access. The NJCCIC recommends administrators of Amazon S3 storage buckets review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the recommended mitigation strategies provided as soon as possible. Bongo International and FedEx customers whose information may have been exposed should closely monitor their financial banking statements and consider placing a security freeze on their credit files by contacting the three major credit bureaus.

 

Reprinted from the NJCCIC Bulletin

_______________________________________________________

Spam Campaign Delivers Password-Stealing Malware

Researchers with Trustwave recently detected an email spam campaign that delivers a password stealing malware to end users via a PowerShell script. The infection takes place in a multi-stage process that initiates when users open a .DOCX file which, in turn, downloads a remote rich text file (RTF) document that exploits the Microsoft Equation Editor tool (CVE-2017-11882). This malware targets email, FTP, and browser client credentials. Subject lines associated with this email campaign include “SWIFT COPY FOR BALANCE PAYMENT,” “Telex Transfer Notification,” “Request for Quotation (RFQ),” and “TNT STATEMENT OF ACCOUNT.” The NJCCIC recommends users and administrators keep their Windows OS and Microsoft Office software updated and scan their environments for the Indicators of Compromise (IoCs) provided in Trustwave’s report.

Reprinted from the NJCCIC Bulletin

_______________________________________________________

IRS Email Scam Distributes Rapid Ransomware

Emails masquerading as official correspondence from the Internal Revenue Service (IRS) are attempting to deliver a new variant of Rapid Ransomware to unsuspecting victims. According to My Online Security, emails associated with this campaign have subject lines such as “Please Note - IRS Urgent Message-164” and notify users in the body of the email that they are overdue on their real estate taxes by several months. Recipients are instructed to review a comprehensive report contained within an attached ZIP file, labeled Notification-[number].zip. Instead of containing the report, the ZIP file contains a Word document with embedded malicious macros. If these macros are enabled, they will download Rapid Ransomware on to the system. This variant appends .rapid to the names of encrypted files and opens several ransom notes in Notepad labeled recovery.txt. The NJCCIC strongly recommends users avoid enabling macros unless they are aware of a specific reason why a document requires macros to run, and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails.

Reprinted from the NJCCIC Bulletin

 

______________________________________________________

Threat Alerts

Internet Crime Complaint Center Impersonation Campaign

The FBI has released an alert warning citizens of a scam campaign impersonating the Internet Crime Complaint Center (IC3), a website operated by the FBI Cyber Division that allows individuals to submit cybercrime-related tips and information. The agency became aware of the campaign after receiving a number of complaints from victims who received emails masquerading as legitimate IC3 communications. These emails claimed that recipients were due restitution as a result of having been a victim of cybercrime and offered to pay them in exchange for additional personal information. The FBI has also identified at least one fraudulent IC3 social media page that may be associated with this campaign. The NJCCIC recommends reviewing FBI Alert I-020118-PSA and maintaining awareness of this and similar scams. To submit a tip or complaint to the IC3, we recommend visiting the FBI’s IC3 website directly at www.ic3.gov and refrain from submitting personal information via email or social media platforms.

Reprinted from the NJCCIC Bulletin

_______________________________________________________

Emotet Campaign Uses Invoice-Themed Emails 
to Target New Jersey Employees

The NJCCIC has detected an increase in emails attempting to deliver the Emotet banking trojan to unsuspecting New Jersey victims. Additionally, the NJCCIC has received reports from members who have also been targeted with Emotet, indicating the campaigns’ pervasiveness. These emails often reference a nondescript invoice or overdue payment in the subject and body, and contain a link that leads to a Microsoft Word document hosted on a remote server. If recipients open the document and enable the macros, a PowerShell script will run and install Emotet onto their systems. According to Proofpoint, Emotet has been observed loading Dridex, Qbot, Gootkit, and IcedID onto infected systems. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. If an Emotet infection is strongly suspected but your antivirus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Spam Campaigns Distributing Malicious Links Hidden Behind URL Shorteners

The NJCCIC has detected several spam email campaigns over the past week using popular URL shortening services to embed malicious links within the body of the emails. If clicked, these shortened URLs redirect the user to phishing sites designed to steal login credentials and to websites used to conduct click-fraud. Common URL shorteners used in these campaigns include tiny.cc, bit.ly, ow.ly, goo.gl, and t.co. Although there are legitimate uses for URL shortening services, particularly on websites that impose character limitations on content generated by their users, the NJCCIC strongly recommends users refrain from clicking on links obscured by URL shorteners as the true destination of the embedded link is not revealed until after the user has been redirected to the landing page. This potentially exposes users to compromised websites that contain malware or phishing sites designed to steal account credentials and other sensitive information. If users must click on links obscured by URL shorteners, we recommend using an online URL expanding service to verify the destination of the link.

Reprinted from the NJCCIC Bulletin

______________________________________________________

5 Skills Cybersecurity Pros Will Need in 2018 

By on

Cybercrime has never been so common and it’s now easier than ever for criminals to launch attacks. As a result of easy-to-use hacking tools, novices without programming experience can perform potentially devastating hacks.

In response to the growing demand for cybersecurity and to protect against increasingly complex attacks, security skills are in high demand. According to data from the Bureau of Labor Statistics, cybersecurity professionals earn an average salary of $116,000—nearly three times the national average.

In response to the rapidly evolving cybersecurity landscape, professionals must keep their skills sharp. These are 5 skills that cybersecurity professionals should consider investing in for 2018.

1. Cloud Security

Cloud computing has transformed the way organizations... 

Click here for more information

______________________________________________________

Avoiding Fraud: Key Practices in Real Estate

 By Suzanne De Vita
RISMedia

Did you know it can take cyber criminals one day to decipher an eight-character password? Did you know it can take them 591 days to figure out a 10-character one?

“It is a crime for anyone to exceed their authorized access to a computer or computer network or system,” explained Martin Hellmer, a supervisory special agent for the FBI, in a recent Realty Executives webinar on wire fraud. “It can be as simple as someone gaining access to someone’s email account because they’ve learned their password, to someone hacking into your computer from the other side of the world.”

Whether by compromised data, cracked passwords or phishing, real estate is a target. More and more, homebuyers and sellers—and the practitioners who serve them—are reporting theft via wire fraud, in which criminals access emails, learn of a pending transaction, and then message phony wiring instructions to victims. The funds, generally, are irretrievable once sent.

Bogus DocuSign emails, emails with illegitimate referrals and ransomware...

Click here for more information

 ______________________________________________________

Phishing Campaign Targets DocuSign Account Credentials

The NJCCIC has detected a phishing campaign impacting New Jersey residents and crafted to obtain DocuSign login credentials. DocuSign is a service used by organizations to share, distribute, and electronically sign important documents. Commonly used in real estate transactions, compromised DocuSign credentials could pose a significant risk to both personal and financial security. This campaign delivers unsolicited emails with an embedded URL that redirects users to a fraudulent DocuSign login page. As DocuSign requires an email address to log in, threat actors can easily expand the scope of their attack if a user shares the same password across multiple accounts. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

 

Reprinted from the NJCCIC Bulletin
______________________________________________________

W-2 Business Email Compromise Scam Targeting New Jersey Organizations

The NJCCIC has received a report indicating that a New Jersey organization was recently targeted in a W-2 Business Email Compromise (BEC) scam. In this scam, a malicious actor poses as a known administrator or senior official within the organization and sends a targeted email to another employee – usually within the human resources or finance departments – and issues an urgent request for all of the organization’s W-2 information. If the employee obliges and sends the email containing the W-2 information, the malicious actor then uses that sensitive data to commit identity theft, tax return fraud, or generate profit by selling it on the black market. Perpetrators of W-2 scams may use a compromised employee email account or may spoof an employee email account using an external email provider to try and appear legitimate. The NJCCIC strongly recommends all organizations educate their employees on how to identify social engineering schemes to prevent them from taking action on these scams. We also recommend organizations have a clear policy and procedure in place to handle requests for sensitive information and financial transactions designed to thwart these types of scams. Make sure any requests for sensitive information or financial transactions require the authorization and approval of more than just the sender and recipient of the request. If an employee within your organization falls victim to a W-2 or other BEC scam, alert your local law enforcement immediately and please submit a report to the NJCCIC via the Cyber Incident Report form on our website.

Reprinted from the NJCCIC Bulletin

______________________________________________________

NJCCIC Announcement/Tax Identity Theft
Awareness Week

Tax Identity Theft Awareness Week is a campaign run by the Federal Trade Commission (FTC) from January 29 to February 2 to spread awareness of tax-related identity theft and IRS imposter scams. The FTC, IRS, Department of Veteran Affairs, and others are hosting various events throughout the week to educate the public on these threats.

Tax identity theft remains one of the top scams listed on the IRS “Dirty Dozen” list and, although safeguards put in place by the agency in 2016 did reduce the number of fraudulent tax returns processed last year, large-scale data breaches that exposed hundreds of millions of American’s personal and financial information have drastically increased the risk that identity theft and tax fraud will occur in 2018. Tax return preparer fraud also remains a concern as dishonest preparers often surface this time of year to target unsuspecting victims and use their personal information to conduct tax refund fraud and identity theft.

Here are the best ways to avoid tax identity theft:

  • File your tax return as early as possible.
  • Use a secure internet connection to file electronically, or mail your tax return directly at the post office.
  • Never respond to emails, texts, or social media communications claiming to be from the IRS. The IRS will only contact you by mail.Report any suspicious or unsolicited emails claiming to be sent from the IRS to phishing@irs.gov.
  • Never provide personal information to anyone purporting to be an IRS representative who contacts you via an unsolicited telephone call. Instead record the caller's name, badge number and a call back number. Hang up and then contact the IRS at 1-800-366-4484 to determine if the caller is an IRS employee with a legitimate need to contact you.Also, remember that the IRS will never call demanding immediate payment of taxes owed or a specific method of payment, such as a prepaid debit card, gift card, or wire transfer.
  • Monitor your credit report to verify there is no unauthorized activity.
  • Enroll in the IRS Identity Protection Pin (IP PIN) program to obtain a 6-digit pin.

Organization payroll and human resources departments must remain vigilant in safeguarding employee tax records. Cybercriminals target HR and payroll departments using various social engineering schemes designed to trick them into believing upper management has made an urgent request for employee W-2 forms. Because these schemes are often very sophisticated and convincing, many targets act on the request quickly without taking additional steps to verify the source. Payroll and HR officials should be wary of any requests for employee W-2 forms or Social Security numbers and security procedures should be implemented that require the written approval of multiple people before a request for personal information is fulfilled. The following are additional IRS tips for protecting yourself against potential tax identity theft:

  • IR-2017-193: Online Security - Seven Steps for Safety
  • IR-2017-194: Don’t Take the Bait; Avoid Phishing Emails by Data Thieves
  • IR-2017-196: Victims of Data Breaches Should Consider These Steps
  • IR-2017-197: Employers, Payroll Officials, Avoid the W-2 Email Scam
  • IR-2017-198: Small Businesses: Be Alert to Identity Theft
  • IR-2017-211: Get Ready for Taxes: Choosing a Tax Return Preparer?
  • IR-2017-203: IRS Warns Taxpayers, Tax Pros of New Email Scam Targeting Hotmail Users

The NJCCIC encourages all members to visit the FTC’s Tax Identity Theft Awareness Week webpageto learn more about tax-related identity theft.

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions. Also, for more background on our recent cybersecurity efforts please visit cyber.nj.gov.

Reprinted from the NJCCIC Bulletin
______________________________________________________

Ransomware was most popular cyber crime tool in 2017

Detections of ransomware increased by more than 90% last year compared with 2016

ComputerWeekly.com
Warwick Ashford
January 25, 2018

Ransomware attacks on business increased by 90% in 2017, while attacks on consumers leapt by 93%, according to the latest annual state of malware report by security firm Malwarebytes.

The monthly rate of ransomware attacks was up to 10 times more than in 2016, with September 2017 having the largest volume of ransomware attacks against businesses ever documented.

In the UK, ransomware attacks peaked in May 2017. Overall attacks have increased at an unprecedented pace, with UK businesses and consumers...

Click here for more information

______________________________________________________

Previously Reported Zyklon Campaign Targets New Jersey Users

Last week, the NJCCIC reported on a malicious email campaign observed by FireEye researchers attempting to deliver the Zyklon malware variant to victims. The NJCCIC has detected a similar campaign in which the emails contain a Microsoft Word or Excel attachment with macros that, if enabled, download several malware variants, including Zyklon, FormBook, LokiBot, and a commercially-available keylogger known as AgentTesla. These variants are used to steal credentials and sensitive information, install additional malware, and add infected devices to a botnet that could conduct denial-of-service (DoS) attacks against other targets. The NJCCIC recommends users and administrators review the corresponding NJCCIC threat profiles on the aforementioned malware variants as well as the FireEye report for additional technical details on Zyklon, including associated Indicators of Compromise (IoCs). Users and administrators are advised to scan their networks for the Zyklon IoCs provided and, if you encounter an affected system, isolate it from the network immediately and thoroughly clean or reimage the system’s hard drive before recommissioning it.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Google Drive Phishing Campaign

The NJCCIC has detected a phishing campaign targeting New Jersey email users and crafted to obtain various email account login credentials. This campaign attempts to convince recipients that they received a document stored on Google’s cloud storage service, Google Drive, and invites them to click an embedded link. If clicked, the link redirects the user to a file stored on Google Drive (Figure 1). This file includes the text, “You’ve received a secured doc via Microsoft office, click on the view pdf online below to access the document, “ and features the Microsoft Office logo, a PDF icon, and a link embedded in the text “REVIEW DOCUMENT.” The embedded link leads to a phishing page designed to collect various account credentials including Google, Outlook, and Yahoo! (Figure 2). If any options are selected, a pop-up window appears, requesting the victim’s email address, phone number, and password to sign into their account (Figure 3). Any information entered into the fields will be transmitted to the hackers behind the campaign. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. We also recommend closely examining the URL field of your web browser before attempting to sign into any account to ensure you are visiting a legitimate website.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Sounding the alarm: Mortgage wire fraud is a much bigger threat than you realize

If you think mortgage wire fraud is a problem only for vendors, think again

Fraud is one of those issues that we don’t like to think about in the mortgage industry.  Yet it always seems to be there, lingering on the fringe of our focus. From time to time, the topic bubbles up in the news or at a convention.  We talk about it a bit, giving it the proverbial “15 minutes of fame.” But rarely are we forced to drastically alter the way we do business or invest large amounts into protecting ourselves from it. Inevitably, it seems a vendor comes along with a new technology, and the fraud (or, at least, the coverage of it) goes away. Or our service providers tweak the way they operate.  At the very least, the issue always seems to go away to the extent that we can return our full attention to emerging markets, new loan products and sales strategies.

That’s about to change.

The latest mortgage fraud to affect the mortgage industry is being called wire fraud or down payment wire fraud. Each case tends to involve a combination of email hacking, identity fraud and wire fraud.  A scammer...

Click here for more information

January 23, 2018
Joseph Murin of Housingwire

______________________________________________________

AI may be a new weapon against spear phishing attacks 

by Asaf Cidon On Jan 22, 2018  

Cybercriminals are infamous for launching pervasive attacks, targeting a maximum number of people, victimizing anybody that takes the bait. Virtually everyone knows these attacks well, having received emails from an overseas banker or a widow of a wealthy oil tycoon offering a ridiculous amount of cash for something small in return from you. The creative examples of phishing attacks are endless, even health medications swearing to offer the fountain of youth or rejuvenating your love life for free in exchange for providing a credit card number.

There is a different form of cybercriminal that takes an “enterprise approach” to getting 

Click here for more information 

______________________________________________________

Three Steps to Preventing Wire Fraud

It’s your worst nightmare as a buyer: one minute, everything is a go for purchasing the house of your dreams and the next, the entire down payment is gone with little hope in getting it back. This nightmare, known as wire fraud, has happened across the country to buyers who have fallen prey to a phishing scam resulting in losses of hundreds of millions dollars with devastating results for those in the process of purchasing a home.

The way this scam works is hackers target email and other accounts with messages relating to real estate activities, collecting contacts/email address of those in the process of buying a property. The scammer then spoofs an email to the buyer, often pretending to be an agent, title company, etc., directing them on where to wire their down payment. For those unfortunate buyers...

Click here for more information

_______________________________________________________

Phishing Campaign Targets Online Banking Credentials

The NJCCIC has detected a recent uptick in phishing campaigns targeting online banking credentials of New Jersey residents. These campaigns distribute unsolicited emails that mimic official correspondence from a legitimate financial institution. Instead of links to legitimate online banking portals, these emails direct users to phishing websites that spoof the institution’s authentic site. If recipients enter their account’s login credentials into the phishing site, their personal information will be transmitted to the hackers behind the campaign and they will be redirected to the legitimate company’s login page. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Microsoft Outlook Web Access and 
Amazon Credential Phishing Campaigns

The NJCCIC has detected two phishing campaigns impacting New Jersey residents crafted to obtain account login credentials for Microsoft Outlook Web Access (OWA) and Amazon accounts. These campaigns deliver unsolicited emails with an embedded URL that redirects users to a malicious phishing website designed to look like either the legitimate OWA or Amazon login page. Once a user enters their credentials into the phishing website, they are redirected to the legitimate website pages that prompt them to log in again. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.  

Reprinted from the NJCCIC Bulletin

______________________________________________________

IRS Scam Calls Combined with Swatting Tactics

The NJCCIC is warning members of a new IRS scam call campaign targeting New Jersey residents that employs swatting tactics. In this campaign, the caller pretends to be an IRS representative and tries to convince the victim that he or she owes tax money, demanding immediate payment via a prepaid debit or gift card. If the victim refuses to pay, the caller threatens to send the police to his or her home. If the victim ends the call without paying, the caller spoofs the victim’s phone number and uses it to contact law enforcement and make a false report of an ongoing emergency or threat of violence at the victim’s residence to prompt an immediate tactical law enforcement response. Although this type of threat cannot completely be prevented, the NJCCIC recommends recipients of these types of calls alert their local law enforcement immediately if a swatting threat is made against them. If law enforcement does arrive at your location as a result of a swatting call, it is important to remain calm and follow their orders, keeping your hands empty and visible, until the situation can be clarified. We never recommend paying the scammer to prevent a swatting incident as this will only serve to perpetuate the crime. To learn how to reduce the amount of scam calls you receive, please review the NJCCIC Cyber Blog titled Tired of Receiving Scam Calls? Don’t Just Sit There. Do Something About It.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Netis/Netcore WiFi Router Exploit Campaigns

The NJCCIC has detected an uptick in credential exploit attempts targeting internet addresses throughout NJ in an effort to compromise vulnerable routers. The majority of this activity appears to be targeted at Netis/Netcore routers, which can be easily accessed by unauthorized users through the exploitation of a hard-coded credential vulnerability. Cybersecurity firms Fortinet and ESET both published reports in October of last year highlighting the risks posed by home router vulnerabilities. The NJCCIC recommends users change the default passwords to all internet-connected devices, including routers, patch and update the firmware if possible, and consider decommissioning the use of devices that have permanent, hard-coded vulnerabilities that cannot or will not be patched by the vendor or manufacturer.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Malicious Email Campaigns Continue to Distribute Emotet

The NJCCIC continues to observe a heavy volume of emails attempting to deliver the Emotet banking trojan to unsuspecting victims. These emails, which often reference a nondescript invoice or overdue payment in the subject and body, contain a link that leads to a Microsoft Word document hosted on a remote server. If recipients open the document and enable the macros, a PowerShell script will run and install Emotet onto their systems. According to Proofpoint, Emotet has been observed loading Dridex, Qbot, Gootkit, and IcedID onto infected systems. According to Bromium, newer samples of Emotet appear to contain polymorphic features and are capable of evading signature-based detection. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. If an Emotet infection is strongly suspected but your antivirus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Malicious Email Campaigns Continue to Distribute Emotet

The NJCCIC continues to observe a heavy volume of emails attempting to deliver the Emotet banking trojan to unsuspecting victims. These emails, which often reference a nondescript invoice or overdue payment in the subject and body, contain a link that leads to a Microsoft Word document hosted on a remote server. If recipients open the document and enable the macros, a PowerShell script will run and install Emotet onto their systems. According to Proofpoint, Emotet has been observed loading Dridex, Qbot, Gootkit, and IcedID onto infected systems. According to Bromium, newer samples of Emotet appear to contain polymorphic features and are capable of evading signature-based detection. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. If an Emotet infection is strongly suspected but your antivirus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

First-time homebuyer out more than $36,000 in spear phishing scam

Scammers spoofed email addresses of woman's realtor, loan officer

By Dillon Collier - Investigative Reporter , Sara Donchey - Anchor/Reporter 

HOUSTON - (KSAT) -- A Texas woman lost more than $36,000 this fall after scammers used an elaborate email spoofing technique called 'spear phishing' to convince her to wire the down payment and closing costs for a home to a different bank account.

Jaime Leeper, a first-time homebuyer, discovered the criminal activity while doing the final walkthrough for a recently-purchased garden home.

 "I overheard them say 'Wells Fargo account' and I interjected and I said 'No, you told me to send it to Bank of America.' And they said 'No, it was Wells Fargo,'" Leeper said.

A closer inspection of emails leading...

Click here for more information

______________________________________________________

San Antonio mom warns others after losing $25,000 in wire fraud scheme

SAN ANTONIO - Born one day apart, Jayna Gibbs and her husband fell in love and got married at 28. But this last summer her husband died suddenly and unexpectedly, leaving her and their two daughters distraught.

Family and friends gifted Gibbs $25,000 dollars following her husband's death. She planned to use the money as a down payment on her new home.

"Losing him, my best friend, was hard anyway, and then people gave this money in his honor and memory...

Click here for more information

______________________________________________________

Identity and Wire Fraud Are a Problem the Industry Cannot Ignore

Fraud is not a new topic for the mortgage industry. But our familiarity with it has, perhaps, dulled our vigilance when it comes to a massive new threat. Wire fraud—perhaps more accurately called identity fraud—has exploded recently, both in frequency and complexity. It is no understatement to say that we, as an industry, are woefully unprepared for it. Worst of all, many of us don’t even acknowledge wire fraud as a top concern. If this describes you or your business, please consider... 

Click here for more information

Reprinted from MReport

______________________________________________________

Phishing Campaign Targets Office 365 Account Credentials

NJCCIC
December 14, 2017

The NJCCIC has been alerted to a phishing campaign attempting to steal Office 365 account credentials. Emails related to this attack may display subject lines including “Account Notification” or “Patch Alert” and contain a URL link or HTML attachment that redirects users to a fraudulent Office 365 login page. Once account credentials are entered into the phishing website, victims are redirected to an authentic Office 365 website with a message indicating that the initial login attempt was unsuccessful. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials, particularly those for sensitive accounts such as corporate and personal email and online banking. Instead, visit the account’s associated website by typing the legitimate address directly into the URL field of your web browser.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Vulnerability Alert 

Keylogger Found in HP Laptops

In the furtherance of public-private partnerships, this NJCCIC Cyber Alert is being provided in order to assist our members in guarding against network vulnerabilities and the actions of persistent malicious cyber criminals.

Overview
The NJCCIC has been alerted to a potential security vulnerability that exists within more than 460 models of HP laptops including the EliteBook, ProBook, Pavilion, and Envy models.

Threat
A security researcher recently published findings regarding his discovery of keylogging code embedded in the Synaptics touchpad driver that was preinstalled in over 460 models of HP laptops. Although the keylogger component is disabled by default, a local or remote attacker with administrative privileges could enable it to record any keystrokes performed on the affected device. In a security bulletin, HP stated that this vulnerability “impacts all Synaptics OEM partners.”

For more information on this vulnerability, please refer to the following open source articles:

Reporting
The NJCCIC has not received any reports of threat actors attempting to exploit this vulnerability within New Jersey organizations or sectors; however, all affected HP laptop users should take action and apply the most recent HP patch immediately. If your organization experiences or suspects attacks attempting to exploit this vulnerability, please report the incident to the NJCCIC via the  Cyber Incident Report  form on our website.

Recommendations
Visit the HP Customer Report website to determine if your HP laptop is affected and, if so, update with the available corresponding patch immediately.

 

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.  Also, for more background on our recent cybersecurity efforts please visit cyber.nj.gov

_______________________________________________________

Ursnif Banking Trojan Detected in Malicious Email Campaign

NJCCIC
December 14, 2017

The NJCCIC has observed a malicious campaign attempting to deliver emails containing the Ursnif banking trojan to state email accounts. These emails are being distributed with malicious attachments that often include “request.doc” in the name. When the document is opened, an Office365 or Microsoft Word notice is displayed requesting the user to “Enable Content” to allow macros to run. If the user enables the malicious content, the Ursnif trojan will then download and install onto the user’s system via PowerShell. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Profit-Motivated Hackers Continue to Target Real Estate Transactions

NJCCIC
November 2, 2017
Threat Alert

The NJCCIC continues to receive reports from members involved in real estate transactions – including agents, lawyers, title agencies, and buyers – detailing incidents in which they were targets of profit-motivated hackers who attempted to defraud them out of thousands of dollars. These schemes are perpetuated in a couple of ways. In some instances, hackers target and gain access to the email accounts of real estate agents, title agency representatives, paralegals, or homebuyers through the use of compromised account credentials and use them to send convincing emails to targeted victims. In other cases, hackers impersonate a known real estate agent or title agent by spoofing their email addresses and sending financial requests associated with a specific transaction to homebuyers. The subject and body of these emails will often portray a sense of urgency in an attempt to have targets immediately wire money before they have an opportunity to fully review the email’s content and question its legitimacy. In addition to reports the NJCCIC has received, NJ.com recently reported a similar incident in which a compromised email account led to the loss of over $91,000. In most cases, these scams are relatively simple for the criminals to conduct, but the consequences can be devastating. The NJCCIC recommends homebuyers and real estate entities educate themselves and others on these malicious tactics and remain vigilant during and immediately after the closing process. We strongly recommend real estate businesses, including real estate attorneys and title agencies, implement new policies aimed at preventing fraudulent wire transfers and other scams. For example, forbid the sharing of wire transfer account information via email and instead utilize video chat applications, phone calls from trusted numbers, or in-person meetings. Additionally, buyers should never trust email as the sole source of instruction for wiring money related to these transactions and instead receive confirmation of these details in person or over the phone.

Reprinted from the NJCCIC Bulletin

_______________________________________________________

BEC: High-Dollar Wire Transfer Scams Extend to Private Citizens

NJCCIC
June 22, 2017
Threat Alert

According to multiple media reports, a New York Supreme Court Justice was defrauded of just over $1 million after responding to an email that was believed to have come from her real estate lawyer. The judge was in the process of selling her apartment and purchasing a new property in New York City when she received an email that purportedly requested funds as a part of those transactions; however, the email was spoofed and the funds were sent to a foreign bank account. While the largest losses from Business Email Compromise (BEC) scams have predominantly impacted businesses and governments organizations, private citizens must be aware of, and remain vigilant against, various email threats intended to defraud them of funds, obtain their credentials to access online banking accounts, or elicit personal information used to commit identity theft. Organizations of all sizes and across industries must also implement guidelines and processes to prevent their employees from falling victim to these scams. Earlier this month, Southern Oregon University reportedly fell for a BEC scam and lost $1.9 million that was earmarked for a construction project. The NJCCIC recommends organizations and private citizens take extra precautions when conducting wire transfers to verify the authenticity of the requestor by first contacting them over the phone to confirm their account details, as well as conducting additional online research on their identity. It is advisable for organizations who regularly conduct wire transfers to implement a multi-step approval process that requires the review of two or three employees before transfers are initiated. Victims of BEC scams who proceed in transferring money to criminals should report that crime to their local law enforcement agency as soon as possible.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Panda Banker Detected in Malicious Email Campaign

The NJCCIC has observed several email campaigns attempting to deliver the Panda Banker trojan to unsuspecting victims. These emails contain a link that leads to a Microsoft Word document named monthly_statement_411985.doc hosted on a remote server. If recipients open the document and enable macros to run, the Hancitor trojan will install onto their system which will then download and install Panda Banker. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Fake Invoices Spread GlobeImposter

Ransomware via Necurs Botnet

The NJCCIC has recently detected a malicious campaign attempting to deliver a high volume of emails containing the GlobeImposter ransomware variant to hundreds of state email accounts. This campaign is being distributed globally via the Necurs botnet, which was previously used to send Locky ransomware to New Jersey residents. The email subject line includes the word “Invoice” and random digits. Attached to the email is a malicious compressed .7z ZIP file that downloads and executes the GlobeImposter ransomware via VBScript. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network immediately to prevent the malware from spreading.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Payroll Phishing Emails Target New Jersey Organizations 

The NJCCIC has received reports of a phishing campaign actively targeting employees of organizations that use ADP as their payroll service provider. This campaign sends emails that masquerade as official ADP notifications and attempt to lure recipients into clicking on an embedded link that leads to a phishing page. This phishing page is a malicious clone of the official ADP website and is designed to capture the login credentials of unsuspecting victims who believe they are logging into the legitimate site. The malicious actor or group behind the campaign then uses the stolen credentials to log into the legitimate ADP website and obtains the account holder’s sensitive information, such as his or her name, address, Social Security number, salary, bank account number, and tax return information. This data can then be used to commit identity theft, tax return fraud, and to reroute payroll funds to a bank account controlled by the actor. If the employee uses the same login credentials for other accounts, such as corporate email and network accounts, the malicious actor could use them to access and compromise the employee’s corporate network as well. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials, particularly those for sensitive accounts such as corporate and personal email, payroll, and online banking. Instead, visit the account’s associated website by typing the legitimate address directly into the URL field of your web browser. If you receive an unexpected or unsolicited email request from a known sender inviting you to click on a link or open an attachment, always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

Reprinted from the NJCCIC Bulletin

______________________________________________________

THREAT ACTORS CONTINUE TO TARGET REAL ESTATE TRANSACTIONS, DEFRAUDING MANY

As previously reported in our March 9  Bulletin, New Jersey residents and businesses involved in real estate transactions, including real estate brokers, attorneys, and title agents, are being targeted by profit-motivated cybercriminals using phishing and social engineering tactics to defraud homebuyers and agents. The NJCCIC has observed a steady increase in reported incidents involving these scams; one homebuyer was recently defrauded out of tens of thousands of dollars. Once a malicious actor has gained access to one party's email account and discovers an ongoing real estate transaction, they often wait for the most opportune time to send an email with fraudulent account details requesting wire transfers for deposits and closing costs. In other instances, threat actors simply create an email address and impersonate a known real estate or title agent. The subject and body of these emails will often portray a sense of urgency in an attempt to have targets immediately wire money before they have an opportunity to fully review the email’s content and question its legitimacy. Scams such as these are likely to increase again next year between April and August, as this is typically the most active time for real estate transactions and agents may be more likely to miss red flags in emails. Agents may also be held liable if a client loses money due this type of scam. In 2016, a title company sued a California real estate broker for $513,000, claiming the agent failed to secure his email account, leading to a fraudulent wire transfer. The NJCCIC recommends homebuyers and real estate entities educate themselves on these malicious tactics and remain vigilant during and immediately after the closing process. We strongly recommend real estate businesses implement new policies aimed at preventing fraudulent wire transfers and other scams. For example, forbid the sharing of wire transfer account information via email and instead utilize video chat applications, phone calls from trusted numbers, or in-person meetings.

Reprinted from the NJCCIC Bulletin

______________________________________________________