Print Page | Contact Us | Report Abuse | Sign In | Register
CyberSecurity
Share |

CYBERSECURITY

 The NJLTA is pleased to present the latest news in cybersecurity.

______________________________________________________

Phishing Campaign Targets Office 365 Account Credentials

NJCCIC
December 14, 2017

The NJCCIC has been alerted to a phishing campaign attempting to steal Office 365 account credentials. Emails related to this attack may display subject lines including “Account Notification” or “Patch Alert” and contain a URL link or HTML attachment that redirects users to a fraudulent Office 365 login page. Once account credentials are entered into the phishing website, victims are redirected to an authentic Office 365 website with a message indicating that the initial login attempt was unsuccessful. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials, particularly those for sensitive accounts such as corporate and personal email and online banking. Instead, visit the account’s associated website by typing the legitimate address directly into the URL field of your web browser.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Vulnerability Alert 

Keylogger Found in HP Laptops

In the furtherance of public-private partnerships, this NJCCIC Cyber Alert is being provided in order to assist our members in guarding against network vulnerabilities and the actions of persistent malicious cyber criminals.

Overview
The NJCCIC has been alerted to a potential security vulnerability that exists within more than 460 models of HP laptops including the EliteBook, ProBook, Pavilion, and Envy models.

Threat
A security researcher recently published findings regarding his discovery of keylogging code embedded in the Synaptics touchpad driver that was preinstalled in over 460 models of HP laptops. Although the keylogger component is disabled by default, a local or remote attacker with administrative privileges could enable it to record any keystrokes performed on the affected device. In a security bulletin, HP stated that this vulnerability “impacts all Synaptics OEM partners.”

For more information on this vulnerability, please refer to the following open source articles:

Reporting
The NJCCIC has not received any reports of threat actors attempting to exploit this vulnerability within New Jersey organizations or sectors; however, all affected HP laptop users should take action and apply the most recent HP patch immediately. If your organization experiences or suspects attacks attempting to exploit this vulnerability, please report the incident to the NJCCIC via the  Cyber Incident Report  form on our website.

Recommendations
Visit the HP Customer Report website to determine if your HP laptop is affected and, if so, update with the available corresponding patch immediately.

 

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.  Also, for more background on our recent cybersecurity efforts please visit cyber.nj.gov

_______________________________________________________

Ursnif Banking Trojan Detected in Malicious Email Campaign

NJCCIC
December 14, 2017

The NJCCIC has observed a malicious campaign attempting to deliver emails containing the Ursnif banking trojan to state email accounts. These emails are being distributed with malicious attachments that often include “request.doc” in the name. When the document is opened, an Office365 or Microsoft Word notice is displayed requesting the user to “Enable Content” to allow macros to run. If the user enables the malicious content, the Ursnif trojan will then download and install onto the user’s system via PowerShell. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Profit-Motivated Hackers Continue to Target Real Estate Transactions

NJCCIC
November 2, 2017
Threat Alert

The NJCCIC continues to receive reports from members involved in real estate transactions – including agents, lawyers, title agencies, and buyers – detailing incidents in which they were targets of profit-motivated hackers who attempted to defraud them out of thousands of dollars. These schemes are perpetuated in a couple of ways. In some instances, hackers target and gain access to the email accounts of real estate agents, title agency representatives, paralegals, or homebuyers through the use of compromised account credentials and use them to send convincing emails to targeted victims. In other cases, hackers impersonate a known real estate agent or title agent by spoofing their email addresses and sending financial requests associated with a specific transaction to homebuyers. The subject and body of these emails will often portray a sense of urgency in an attempt to have targets immediately wire money before they have an opportunity to fully review the email’s content and question its legitimacy. In addition to reports the NJCCIC has received, NJ.com recently reported a similar incident in which a compromised email account led to the loss of over $91,000. In most cases, these scams are relatively simple for the criminals to conduct, but the consequences can be devastating. The NJCCIC recommends homebuyers and real estate entities educate themselves and others on these malicious tactics and remain vigilant during and immediately after the closing process. We strongly recommend real estate businesses, including real estate attorneys and title agencies, implement new policies aimed at preventing fraudulent wire transfers and other scams. For example, forbid the sharing of wire transfer account information via email and instead utilize video chat applications, phone calls from trusted numbers, or in-person meetings. Additionally, buyers should never trust email as the sole source of instruction for wiring money related to these transactions and instead receive confirmation of these details in person or over the phone.

Reprinted from the NJCCIC Bulletin

_______________________________________________________

BEC: High-Dollar Wire Transfer Scams Extend to Private Citizens

NJCCIC
June 22, 2017
Threat Alert

According to multiple media reports, a New York Supreme Court Justice was defrauded of just over $1 million after responding to an email that was believed to have come from her real estate lawyer. The judge was in the process of selling her apartment and purchasing a new property in New York City when she received an email that purportedly requested funds as a part of those transactions; however, the email was spoofed and the funds were sent to a foreign bank account. While the largest losses from Business Email Compromise (BEC) scams have predominantly impacted businesses and governments organizations, private citizens must be aware of, and remain vigilant against, various email threats intended to defraud them of funds, obtain their credentials to access online banking accounts, or elicit personal information used to commit identity theft. Organizations of all sizes and across industries must also implement guidelines and processes to prevent their employees from falling victim to these scams. Earlier this month, Southern Oregon University reportedly fell for a BEC scam and lost $1.9 million that was earmarked for a construction project. The NJCCIC recommends organizations and private citizens take extra precautions when conducting wire transfers to verify the authenticity of the requestor by first contacting them over the phone to confirm their account details, as well as conducting additional online research on their identity. It is advisable for organizations who regularly conduct wire transfers to implement a multi-step approval process that requires the review of two or three employees before transfers are initiated. Victims of BEC scams who proceed in transferring money to criminals should report that crime to their local law enforcement agency as soon as possible.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Panda Banker Detected in Malicious Email Campaign

The NJCCIC has observed several email campaigns attempting to deliver the Panda Banker trojan to unsuspecting victims. These emails contain a link that leads to a Microsoft Word document named monthly_statement_411985.doc hosted on a remote server. If recipients open the document and enable macros to run, the Hancitor trojan will install onto their system which will then download and install Panda Banker. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Fake Invoices Spread GlobeImposter

Ransomware via Necurs Botnet

The NJCCIC has recently detected a malicious campaign attempting to deliver a high volume of emails containing the GlobeImposter ransomware variant to hundreds of state email accounts. This campaign is being distributed globally via the Necurs botnet, which was previously used to send Locky ransomware to New Jersey residents. The email subject line includes the word “Invoice” and random digits. Attached to the email is a malicious compressed .7z ZIP file that downloads and executes the GlobeImposter ransomware via VBScript. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network immediately to prevent the malware from spreading.

Reprinted from the NJCCIC Bulletin

______________________________________________________

Payroll Phishing Emails Target New Jersey Organizations 

The NJCCIC has received reports of a phishing campaign actively targeting employees of organizations that use ADP as their payroll service provider. This campaign sends emails that masquerade as official ADP notifications and attempt to lure recipients into clicking on an embedded link that leads to a phishing page. This phishing page is a malicious clone of the official ADP website and is designed to capture the login credentials of unsuspecting victims who believe they are logging into the legitimate site. The malicious actor or group behind the campaign then uses the stolen credentials to log into the legitimate ADP website and obtains the account holder’s sensitive information, such as his or her name, address, Social Security number, salary, bank account number, and tax return information. This data can then be used to commit identity theft, tax return fraud, and to reroute payroll funds to a bank account controlled by the actor. If the employee uses the same login credentials for other accounts, such as corporate email and network accounts, the malicious actor could use them to access and compromise the employee’s corporate network as well. The NJCCIC strongly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials, particularly those for sensitive accounts such as corporate and personal email, payroll, and online banking. Instead, visit the account’s associated website by typing the legitimate address directly into the URL field of your web browser. If you receive an unexpected or unsolicited email request from a known sender inviting you to click on a link or open an attachment, always verify the sender via another means of communication before taking any action. Enable multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

Reprinted from the NJCCIC Bulletin

______________________________________________________

THREAT ACTORS CONTINUE TO TARGET REAL ESTATE TRANSACTIONS, DEFRAUDING MANY

As previously reported in our March 9  Bulletin, New Jersey residents and businesses involved in real estate transactions, including real estate brokers, attorneys, and title agents, are being targeted by profit-motivated cybercriminals using phishing and social engineering tactics to defraud homebuyers and agents. The NJCCIC has observed a steady increase in reported incidents involving these scams; one homebuyer was recently defrauded out of tens of thousands of dollars. Once a malicious actor has gained access to one party's email account and discovers an ongoing real estate transaction, they often wait for the most opportune time to send an email with fraudulent account details requesting wire transfers for deposits and closing costs. In other instances, threat actors simply create an email address and impersonate a known real estate or title agent. The subject and body of these emails will often portray a sense of urgency in an attempt to have targets immediately wire money before they have an opportunity to fully review the email’s content and question its legitimacy. Scams such as these are likely to increase again next year between April and August, as this is typically the most active time for real estate transactions and agents may be more likely to miss red flags in emails. Agents may also be held liable if a client loses money due this type of scam. In 2016, a title company sued a California real estate broker for $513,000, claiming the agent failed to secure his email account, leading to a fraudulent wire transfer. The NJCCIC recommends homebuyers and real estate entities educate themselves on these malicious tactics and remain vigilant during and immediately after the closing process. We strongly recommend real estate businesses implement new policies aimed at preventing fraudulent wire transfers and other scams. For example, forbid the sharing of wire transfer account information via email and instead utilize video chat applications, phone calls from trusted numbers, or in-person meetings.

Reprinted from the NJCCIC Bulletin

______________________________________________________