New Phishing Campaign Discovered.

A CIS Cyber Alert (see below) has been published detailing a Phishing campaign that utilizes a weaponized PDF document that exploits a vulnerability in Adobe Reader(CVE-2013-2729). This campaign attempts to entice users to open the attached file by referring to an “Unpaid invoic”(sic)

This campaign is utilizing the Dyre Banking Trojan, focused on stealing banking credentials.

Recommendations:

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
  • Ensure that systems are hardened with industry-accepted guidelines.
  • Make sure all AV products are up-to-date with their signatures.
  • Implement filters at your email gateway for filtering out emails with subject line “Unpaid invoic”. [Note the typo]

REFERENCES:

PhishLabs:

http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729

Phishing Attempt – 2014/2/25

The Information Security Office has been made aware of a phishing attempt that has been sent to some UTA employees.  Please delete this email if you receive it:

_________________________________________________________________________________________________________________________

From: IT.SYSTEM.ADMINISTRATOR@mta5.xxx.xxx.edu [mailto:IT.SYSTEM.ADMINISTRATOR@mta5.xxx.xxx.edu]

Sent: Tuesday, February 25, 2014 11:02 AM
To: Recipients
Subject: Your Input Needed: URGENT

Your EMPLOYEE ACCOUNT have been compromised. The is the cause of the recent increse in unsolicited emails. You are to CLICK HERE and verify your account so that we can effectively thwart the damage done by phishing on our network.

Regards,

Systems Security

Phishing Attempt – 2014/2/04

The Information Security Office has been made aware of a phishing attempt that has been sent to some UTA employees.  Please delete this email if you receive it:

“””


From: Support
Sent: Tuesday, February 04, 2014 8:28 AM
To: User
Subject: Your Email Account

Dear Subscriber,

Due to congestion on our webmail servers, all unused and unconfirmed accounts will be shut down. It is mandatory you confirm ownership of your webmail account by clicking ClickHere and following the instructions by completing the form or your account will be suspended.

We sincerely apologize for any inconveniences caused.

Customer Dept.

Copyright 2013, All Rights Reserved

Phishing Attempt – 2014/01/24

The Information Security Office has been made aware of a phishing attempt that has been sent to some UTA employees.  Please delete this email if you receive it:

“””


From: Jacob S Neely
Sent: Friday, January 24, 2014 4:42 AM
To: Jacob S Neely
Subject: Outlook Communications Update !!!

Dear Mailbox User.

Please be informed that your Email account on file has been listed for suspension and will be disabled shortly if not Activated Now. Errors were discovered in your account. For security reasons, you are required to secure and please click here to Upgrade your mailbox and its quota size.

ITS help desk

ADMIN TEAM

© 1995 – 2014 Outlook Communications

“””