Be aware of tax-related scams, phishing attacks or social engineering

Refund scams: With tax season approaching, it is now normal to expect criminal activity targeting tax refunds. Criminals can obtain personal information on you from a variety of sources, including your unwitting tax preparer. The Information Security Office encourages you to file your taxes as early as possible to reduce the chance of criminal elements filing for refunds before you do.

Phishing: It is also normal to expect an increase in phishing emails and attempts to lure you into inadvertently installing computer viruses. Use caution when clicking Web or email links or opening attachments related to tax returns. The IRS does not initiate any contact with taxpayers by email, text, or social media.

Many of the messages will have an urgent tone in the subject line and contents. Here are a few examples of subject lines based on those received in previous years:

  • Final reminder: Tax Refund Notification
  • Your 2017 – IRS Tax Refund Payment
  • Your IRS tax bank transfer is not approved.
  • Income Tax Refund REJECTED

If you receive an email that appears suspicious, send it to phish@uta.edu. Do not click on the links or open attachments.

Phone Scams: Always be cautious about providing your personal information over the phone, especially to individuals who initiate the call. In such cases, always offer to hang up, verify the nature of call, and to call them back at a number they provide. Do not rely on the caller ID information. Instead, seek out the organization’s official number and contact them directly. If you suspect attempted fraud or fall victim to a scam, contact your local law enforcement.

The IRS has recognized tax related fraud as a problem and has published several articles on their Security Awareness Tax Tips site at https://www.irs.gov/uac/IRS-Security-Awareness-Tax-Tips. Share the tips with your family, friends and even your tax preparer! If you fall victim to tax fraud, contact the IRS right away.

New Phishing Campaign Discovered.

A CIS Cyber Alert (see below) has been published detailing a Phishing campaign that utilizes a weaponized PDF document that exploits a vulnerability in Adobe Reader(CVE-2013-2729). This campaign attempts to entice users to open the attached file by referring to an “Unpaid invoic”(sic)

This campaign is utilizing the Dyre Banking Trojan, focused on stealing banking credentials.

Recommendations:

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
  • Ensure that systems are hardened with industry-accepted guidelines.
  • Make sure all AV products are up-to-date with their signatures.
  • Implement filters at your email gateway for filtering out emails with subject line “Unpaid invoic”. [Note the typo]

REFERENCES:

PhishLabs:

http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729

Phishing Attempt – 2014/2/25

The Information Security Office has been made aware of a phishing attempt that has been sent to some UTA employees.  Please delete this email if you receive it:

_________________________________________________________________________________________________________________________

From: IT.SYSTEM.ADMINISTRATOR@mta5.xxx.xxx.edu [mailto:IT.SYSTEM.ADMINISTRATOR@mta5.xxx.xxx.edu]

Sent: Tuesday, February 25, 2014 11:02 AM
To: Recipients
Subject: Your Input Needed: URGENT

Your EMPLOYEE ACCOUNT have been compromised. The is the cause of the recent increse in unsolicited emails. You are to CLICK HERE and verify your account so that we can effectively thwart the damage done by phishing on our network.

Regards,

Systems Security

Phishing Attempt – 2014/2/04

The Information Security Office has been made aware of a phishing attempt that has been sent to some UTA employees.  Please delete this email if you receive it:

“””


From: Support
Sent: Tuesday, February 04, 2014 8:28 AM
To: User
Subject: Your Email Account

Dear Subscriber,

Due to congestion on our webmail servers, all unused and unconfirmed accounts will be shut down. It is mandatory you confirm ownership of your webmail account by clicking ClickHere and following the instructions by completing the form or your account will be suspended.

We sincerely apologize for any inconveniences caused.

Customer Dept.

Copyright 2013, All Rights Reserved