Holiday Season Cyber Scams and Malware Campaigns

As we approach the holidays, the Information Security Office (ISO) would like to remind the UT Arlington community to be aware of seasonal scams, phishing and malicious software (malware) distribution campaigns.

Every year, cyber criminals take advantage of the increase in online purchases and electronic seasonal greeting cards to trick victims into believing they’ve received packages or personal messages. They often use multiple methods to attract victims, such as posing as legitimate websites and/or using fraudulent emails that are crafted to look legitimate; they steal the logos, email or web templates of legitimate businesses *e.g. FedEx, DHL UPS, Amazon.com, etc.) in an effort to entice victims into clicking links or opening attachments.

These phishing and malware campaigns may come in the form of :

  • Fake shipping/courier notifications.
  • Electronic greeting cards or links to holiday screensavers or other forms of media.
  • Request for charitable contributions that may appear to be for legitimate causes but originate from illegitimated sources claiming to be charities.
  • Credit card or gift card applications or enticing discounts in online shopping advertisements that lead to websites you’re unfamiliar with.

In addition, be aware of social engineers who may call you on your personal or work phone using a themed pretext (holiday offers, package pickup, etc.).

Don’t be a victim!  The ISO advises caution when you encounter these types of email messages or websites by:

  • Looking for tell-tale signs that a website or email is not legitimate:

………….– The senders address or website address does not match the organization listed in the content of the message.
………… – The grammar in the message or website is poor.
………… – Format of the email or website is poor or inconsistent with what you’re used to seeing from the organization.
………… – Hovering over the links with your mouse reveals web address inconsistent with the content of the message.

  • Never clicking on links in emails that you’re not expecting.
  • Never opening attachments in emails that you’re not expecting.
  • Never providing your personal information in an email or on a website unless you are completely sure.

The United States Computer Emergency Readiness Team encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:

Potential Increase in Malware Delivered by PDF and Office Attachments

The Information Security Office wants to make you aware that a number of vulnerabilities affecting Microsoft Office and Adobe Acrobat were disclosed this week. Furthermore, we have been made aware that savvy criminals are launching phishing campaigns to deliver malware (such as viruses, Trojans, worms, etc.) by sending specially crafted documents (like pdf, PowerPoint) attached to crafted email designed to bait recipients into opening the documents. If the document is opened, there is a potential for the computer to be infected and may begin downloading other malware.

The Office of Information Technology is aware of these vulnerabilities and is in the process of mitigating them by doing the following:

1. Updating the malware signatures on the email systems that deliver email to @uta.edu and @mavs.uta.edu addresses to block known attachments that might be infected.
2. Updating Microsoft Endpoint Protection (Windows) and McAfee Antivirus (Macintosh) to block known malware that might exploit this vulnerability.
3. Updating Microsoft Office and Adobe Acrobat products on computers that have the standard OIT image.
4. Patching vulnerable servers under their care that might be vulnerable if malware entered our network.

Additionally, the Information Security Office has implemented blocks on the Intrusion Prevention System for known communication that might exploit these vulnerabilities.

As is the nature with all anti-malware software or network protections, and while anti-malware vendors are constantly adjusting and improving detection capabilities, they are often playing catch-up with the latest techniques used by criminals to evade threat detection technology. As such I encourage you to alert your staff to be vigilant and to follow these general tips to avoid infection:

  • Do not open email attachments from unknown or untrusted sources
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources, especially email.
  • Ensure that computers and servers are protected:
    • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
    • Make sure all AV products are up-to-date with their signatures.
    • Ensure that there is a properly configured firewall enabled on the computer or server.

If you are not sure whether your UTA computer is fully protected, please contact the OIT help desk or your Desktop Support Associate.

New Windows Vulnerability

The Microsoft Security Advisory (found here) describes a new, un-patched vulnerability in all currently supported versions of Windows except Server 2003. Successful exploitation of this vulnerability would allow an attacker to gain the same rights on the machine as the current user.

Exploitation of this vulnerability requires the user to open a specially crafted Microsoft Office document. Researchers are seeing targeting attacks utilizing this attack.

Prevention: standard behavior rules apply:

  • Don’t open attachments from unknown sources
  • Don’t click on suspicious links in email

New Phishing Campaign Discovered.

A CIS Cyber Alert (see below) has been published detailing a Phishing campaign that utilizes a weaponized PDF document that exploits a vulnerability in Adobe Reader(CVE-2013-2729). This campaign attempts to entice users to open the attached file by referring to an “Unpaid invoic”(sic)

This campaign is utilizing the Dyre Banking Trojan, focused on stealing banking credentials.

Recommendations:

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
  • Ensure that systems are hardened with industry-accepted guidelines.
  • Make sure all AV products are up-to-date with their signatures.
  • Implement filters at your email gateway for filtering out emails with subject line “Unpaid invoic”. [Note the typo]

REFERENCES:

PhishLabs:

http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729

New SSLv3 Vulnerability

Also known as “Poodle”, this vulnerability could allow an attacker to steal web site login information or payment data.

“A vulnerability exists within the SSL version 3.0 protocol… allowing an attacker to hijack and decrypt session cookies that are utilized between a user’s web browser and the web site. This could lead to attackers obtaining enough information to temporarily impersonate web site visitor account logins and/or online payment systems.”

REFERENCES:

Google:

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

WIRED:

http://www.wired.com/2014/10/poodle-explained/

SANS:

https://isc.sans.edu/forums/diary/OpenSSL+SSLv3+POODLE+Vulnerability+Official+Release/18827