In July 2020, an online alcohol delivery service, Drizly, suffered a data breach. This breach contained 2.5 million customers data that was sold online, and then posted on a hacking forum. The customer information includes names, email addresses, IP addresses, physical addresses, date of birth, phone numbers, and passwords. No financial information was leaked.

106 UMBC accounts were victims of this breach. The victims are being notified via their UMBC emails and/or their alternate emails. If you have a Drizly account, please contact them to see if you have been affected by this breach. To see if you were involved in any other breach visit: https://haveibeenpwned.com/.

More about Drizly data breach:

https://techcrunch.com/2020/07/28/drizly-data-breach/

https://www.forbes.com/sites/katedingwall/2020/07/29/alcohol-e-commerce-giant-drizly-hit-with-huge-data-breach/#63b0d40b5a96

If you have any questions or concerns email us: security@umbc.edu 

Information about this breach was provided to us by Have I Been Pwned(HIBP). 

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

In June 2020, Havenly, an interior design website, suffered a data breach. Approximately 1.4 million members' personal information was exposed. This data includes names, email, phone numbers, addresses and passwords stored as SHA-1 hashes. This information was shared on an online hacking community. 

28 UMBC accounts were affected by this breach. The victims have been notified via their UMBC emails and/or their alternate emails. If you have a Havenly account, please contact them to see if you have been affected by this breach.

More about Heavenly data breach:

https://www.bleepingcomputer.com/news/security/hacker-leaks-386-million-user-records-from-18-companies-for-free/ 

If you have any questions or concerns email us: security@umbc.edu 

Information about this breach was provided to us by Have I Been Pwned(HIBP).

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

In June 2020, a marketing video creator website, Promo, suffered a data breach. 22 million users' personal information was leaked on an online hacking forum. This data includes names, email, gender, IP addresses and passwords stored as SHA-256 hashes. This information was shared on an online hacking community. 

34 UMBC accounts were affected by this breach. The victims have been notified via their UMBC emails and/or their alternate emails. If you have a Promo account, please contact them to see if you have been affected by this breach. Also visit https://haveibeenpwned.com/ to see if you were involved in any other breach.

More about Promo data breach:

https://support.promo.com/en/articles/4276475-promo-data-breach-faq 

https://www.bleepingcomputer.com/news/security/promocom-discloses-data-breach-after-22m-user-records-leaked-online/#:~:text=Promo.com%2C%20an%20Israeli-based%20marketing%20video%20creation%20site%2C%20has,networks%20such%20as%20Facebook%2C%20Instagram%2C%20Twitter%2C%20and%20LinkedIn.

If you have any questions or concerns email us: security@umbc.edu 

Information about this breach was provided to us by Have I Been Pwned(HIBP). 

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

In June 2020, ProctorU, an online examination service, suffered a data breach. Over 444K user records were exposed and posted to an online hacking community. These records contain names, emails, physical addresses, phone numbers and passwords.

36UMBC accounts were affected by this breach. The victims have been notified via their UMBC emails and/or their alternate emails. If you have a ProctorU account, please contact them to see if you have been affected by this breach. To see if you were involved in any other breach visit: https://haveibeenpwned.com/.

More about ProctorU data breach:

https://www.smh.com.au/national/hackers-hit-university-online-exam-tool-20200806-p55j6h.html

https://www.bleepingcomputer.com/news/security/proctoru-confirms-data-breach-after-database-leaked-online/

If you have any questions or concerns email us: security@umbc.edu 

Information about this breach was provided to us by Have I Been Pwned(HIBP). 

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

Malicious actors are using Covid-19 and current economic conditions to exploit victims with new phishing scams. The article linked below talks about two similar phishing scams. One scam claims to be giving the user a bonus while mimicking a Microsoft SharePoint notification. The other attempts to spoof a Microsoft Planner email notification. Both scams are trying to steal the user’s Microsoft login credentials. 

“Summer Bonus” Phishing Scam

The scammer sends an email that looks like a legitimate Microsoft SharePoint notification. The email offers what looks like a bonus for the month while also having an “open” button to display an explanatory file. An example of this email is shown below.

If the victim clicks on the “open” button they will be brought to a website that looks very similar to a Microsoft login page. A closer look reveals that this is not a link to a Microsoft login page but to an AppSpot site created by the scammers. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers.

If the victim enters their login credentials into the fake Microsoft login page, their account would be compromised.

Microsoft Planner Phishing Scam

Similar to the “Summer Bonus” scam, this Microsoft Planner Phishing Scam uses an email that tries to spoof a Microsoft Planner notification. As in the “Summer Bonus” scam, it has a button but this one says “Open in Microsoft Planner” and will take you to a fake Microsoft login page. An example of this email is shown below.

As with the previous scam, if the victim enters their login credentials into the fake Microsoft login page, their account would be compromised.

To avoid these scams, make sure the site you land on after clicking the button is really a Microsoft domain. If the site is a login for Microsoft then the URL should direct your browser to a legitimate Microsoft domain.

Even before clicking any buttons, look at the From address in the headers. The scammer’s display name makes it appear as if it belongs to the targeted company. The headers can show if the From email address itself is spoofed and who is actually sending the email to you. 

Always remember that if it feels “too good to be true”, then it is probably too good to be true. It is also good practice to check with a supervisor before responding to any unsolicited requests for credentials or logins that appear to come from your employer.

If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

The images and the original article can be found here. Please check it out for more information: 

https://www.area1security.com/blog/july-bonus-microsoft-spear-phishing/?utm_medium=email&utm_source=blast&utm_term=na&utm_content=na&utm_campaign=2020-Q3-Email-Blast-Spot-Campaign&mkt_tok=eyJpIjoiWVdKbE1HVXlOakkzWVRWaiIsInQiOiJFWnFFZVYxYXBuTFpcLytrc1hzNkFodUZ1XC9CbWRPcUROYmhMWlM0NisyZmo3K0cybFFyY0xmMnhYXC9lYUIzMit2UXZGYzFPTURmTSt2Z1cxRDkxOTladFUwVGl5Wmczd2FmZWFvSkRZZm9iN0FVZGh0TGs2b2FlazhaSFU0ZWhzbSJ9

To read more articles published by DoIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

Recently DoIT has been notified that an email scammer has been trying to impersonate other UMBC staffers. The email comes from a scammer who is claiming to be someone from UMBC and has the Subject “Quick response.” An example of this phishing email can be seen below.

The email that is shown above is only the first email that the scammer will send to users to try and get their attention. In similar phishing emails, once the user responds  the scammers would claim that they were stuck in a meeting and ask the user if they could go to the store and buy them gift cards. 

Even though this email is short it still shows some red flags of a phishing email. 

• The email itself is not personalized and is very vague. The reason for this is so that the scammer can send the email to as many people as possible.

• There is a sense of urgency. Even with this email being so short, the sense of urgency comes with the subject line of “Quick response” trying to show that they need you to respond as soon as possible.

• The From email address is suspicious. Some scammers will use addresses of the form <johnsmith.umbc@gmail.com>. Without a closer examination some might assume it is coming from a UMBC source while in actuality it is coming from an unknown Google mail address.

• The email signature and name are meant to look legitimate. The scammer will try to base their phishing email on that of the person they are trying to impersonate. This will include an email signature meant to look like an actual UMBC staff member’s and the sender's name being that of the person they are trying to impersonate, often a supervisor. 

You can find other examples of similar scams here https://itsecurity.umbc.edu/critical/?id=94968 and https://itsecurity.umbc.edu/critical/?id=94950 or check out the DoIT Security page main page for more updated information.

If you do receive this or a similar email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

In February 2020, the guitar tuition website TrueFire suffered a data breach. Over 600,000 individuals were affected. Information such as names, emails, addresses, account balances, and passwords were exposed. 

Five UMBC email addresses were victims of this breach. These individuals were notified via their UMBC emails and/or their recovery emails. If you have a Truefire membership, please contact them to see if you were affected by this breach. If you have any questions or concerns email us: security@umbc.edu

Information about this breach was provided to Have I Been Pwned(HIBP) by dehashed.com.

More about Truefire data breach:

https://guitar.com/news/industry-news/truefire-data-breach/https://guitar.com/news/industry-news/truefire-data-breach/

_____________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Need to set up a recovery email for your UMBC account?

Follow the instructions here: https://my3.my.umbc.edu/groups/itsecurity/posts/94776

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity

The DoIT has recently been notified of a malicious actor trying to impersonate a UMBC staffer. This scammer is sending emails with the subject line “QUICK REQUEST” and asking victims if they are available with the goal of getting gift cards from the victim. An example of an email chain is shown below with the name of the From and the email signature removed for privacy reasons.

The scammer targets a department and tries to impersonate some senior person in that department. The scammer will send emails asking the victim if they are “available.” 

If the victim respondes, they will receive a second email asking the victim to purchase gift cards because the scammer is currently in a meeting and can’t do it themselves. Note that the second email has poor grammar and random capitalizations. This email also has a sense of urgency with the scammer claiming to be in a meeting and using words like “important” and the subject “QUICK REQUEST” all in caps.

Note that the sender’s address in both messages is <.umbc@gmail.com>. The full email from the scammer was shortened for privacy reasons. This address allows the victim to see the “umbc” and, without close examination, to assume that the message is coming from a UMBC source when in actuality it is coming from an unknown Google mail address. The email also had an email signature which was based on that of an actual UMBC staff member.

If you do receive this or any other email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

Recently the DoIT has been notified of a malicious actor trying to impersonate a UMBC staffer. The phishing email has the subject line “TASK” and a chain of emails from the scammer can be seen below. The example has had the name and email address of the victim removed for privacy reasons.

First the malicious actor sends an email asking if the user is available to help them. Note that in the first email there is a  sense of urgency as well as a lack of personalization to the recipient. These can be red flags of a phishing email.

In the second email, the scammer asks the user if they could run out to the store and get some gift cards for a meeting that the scammer is currently in. The text continues to foster a sense of urgency using words like “fast” and “quickly”.

In the  last email the scammer asks the user for five one hundred dollar Steam gift cards. Steam gift cards are used on Steam, a video game digital distribution service. The scammer will ask the user to send them a copy of the codes on the back of the gift cards.

If you do receive this or a similar email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice. 

https://itsecurity.umbc.edu/home/covid-19-news/?tag=covid19

During the pandemic, Microsoft has seen a rise in phishing campaigns. One such campaign uses the Office 365 phishing via malicious OAuth apps. The phishing attack attempts to trick individuals into giving a malicious Office 365 app permission to their legitimate Office 365 account.

Open Authentication(OAuth) is an open standard protocol which allows users to give websites and applications access to their information without the use of a password or username. Popular sites that use OAuth include Google, Twitter etc.

When granting such access, you may see something like this:

Once the malicious Office 365 app is linked to your Office 365 account, the hackers can access your private information and any other sensitive data stored on your Office365 account. This malicious Office 365 app asks for permissions which include but are not limited to:

• Reading your contacts.

• Reading your mail.

• Reading all OneNote notebooks that you can access. 

• Reading and writing to your mailbox settings.

• Having full access to all files you have access to.

Microsoft has taken legal actions against 6 domains that store the malicious Office 365 applications.

However, you can check the apps and services that you have given consent to access your Office 365

information.

To disable these permissions:

1. Visit: https://account.live.com/consent/Manage?uaid=a11edb2059b64ae499fce9f494c2f53f

2. Click Edit

3. Click Remove these permissions

Source: https://www.bleepingcomputer.com/news/security/microsoft-warns-of-office-365-phishing-via-malicious-oauth-apps/

https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/

_________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity