UMBC DoIT Security continues to receive reports of malicious emails claiming to offer part time job opportunities to UMBC students. 

From: Charlotte Oliver <charlotteoli26900@gmail.com>

Date: Sat, May 30, 2020 at 10:55

Subject: UMBC STUDENT PART TIME JOB OPPORTUNITY

Dear Student,

 

We got your contact through your school database and I'm happy to inform you that our reputable company Cisco Systems Inc® is currently running a student empowerment program. This program is to help devoted and hardworking students secure a part time job which does not deter them from doing any other, you just need a few hours to do this weekly and with an attractive weekly wages.

 

KINDLY EMAIL BACK WITH YOUR  (RESUME) PERSONAL EMAIL ADDRESS AND PHONE NUMBER IF INTERESTED IN THIS JOB POSITION.

 

Best Regards,

 

Charlotte Oliver

HR Manager/Consultant

Cisco Systems Inc®

DO NOT REPLY TO THIS PHISHING EMAIL!

This phishing campaign is designed to collect students’ personal information. A reply confirms that your account is active and could lead to more spam. Additionally, if you provide your alternate email address and phone number as requested, you could be vulnerable to phone and text message scams in addition to being pressured by the fake employers for more personal information.

This job scam is similar to a COVID-19 themed variant reported in early May. While the message and subject of the emails have changed, the basic premise has not. See the original post at https://itsecurity.umbc.edu/critical/?id=92997.

During the  COVID-19, unemployment numbers have been rising and more people are looking for work. Some people have unknowingly gotten involved in breaking the law. According to the article from Idaho News 6 linked below, police found thousands of dollars worth of stolen merchandise in a garage belonging to a homeowner who thought he was renting space to people  working on a reshipping job.

The article warns that malicious actors post legitimate looking “work from home” help wanted or job openings on places like social media, message boards and even job posting sites. These ads will claim the work will be easy, pays big, and can be done from home. The malicious actor uses stolen credit cards to purchase goods and has the victim reship the items. In fact, the malicious actor is using the victim as part of a money laundering operation.

The article encourages readers to stay safe while job searching, to make sure that the employer has a readily available phone number for human resources, and has a company website. Scammers on the other hand usually will communicate through email or messenger only and are very secretive about the work, their business, and what the employee will be doing. The article also warns against paying upfront fees since malicious actors will often ask for fees for background checks or other pre-employment checks.

For more information, please check out:

https://www.kivitv.com/news/bbb-watch-for-work-from-home-scams

May 22, 2020

Next Week, Maryland will begin a state-wide effort to trace the spread of COVID-19.  The effort will involve health workers making phone calls to Maryland residents.  This is a very important step in identifying potential disease clusters and everyone’s help is needed.

At the same time, Maryland in general and UMBC in particular have been targets of a wide variety of scams taking advantage of people’s fears and uncertainties around this disease.  It is very possible that unscrupulous people will take advantage of Maryland’s effort as a cover for phone scams.  North Carolina, for instance, started a contact tracing effort last month and has gotten reports of scammers pretending to be health officials and gathering information from residents.

Phone Calls

When you get a call, your caller ID should read “MD COVID”.  You will be asked about your health and about your location and interactions within a period of time.  You will be asked for your birth date, contact information, and information about any COVID-19 test if you have had one.  You will get guidance about potential symptoms to watch for and about self-isolation.

You will NOT be asked for:

• ·        a Social Security number

• ·        financial or bank account information

• ·        personal details unrelated to COVID-19

• ·        photographs or videos

• ·        passwords

• ·        payment

If anyone asks you for this or other information having nothing to do with COVID-19, please do not give it to them. 

Text Messaging

So far, Maryland has not announced that text messaging will be part of the contact tracing effort.  If you receive a text message that asks you to click on a link for contact tracing, do not click it. At best, it will take you to a scam questionnaire requesting your personal information.  Worse, it could download malware to your phone and start harvesting personal information itself.

New Jersey has received reports of text messages pretending to be from contact tracers and telling people that they have already had contact with a potential COVID-19 carrier.  These messages also contain links which will lead to information theft and/or malware.  Contact tracers don’t work like this.

For More Information

Launch of Maryland’s contact tracing effort

• https://www.baltimoresun.com/coronavirus/bs-md-maryland-contact-tracing-operation-coronavirus-reopening-20200521-jn4wfqgjcjdqbkbu454fhqngim-story.html

• https://www.wbaltv.com/article/maryland-contact-tracing-ramps-up/32631045#

FTC Warning about COVID-19 contact tracing text message scams

• https://www.consumer.ftc.gov/blog/2020/05/covid-19-contact-tracing-text-message-scams
  

Scam Warning from North Carolina Attorney General

• https://ncdoj.gov/watch-out-for-covid-19-contact-tracing-scams/

Warning from New Jersey state officials about text message scams

• https://www.nj.com/coronavirus/2020/05/beware-of-coronavirus-contact-tracing-scams-nj-officials-warn-thousands-of-fraud-cases-reported.html

Android Ransomware

DomainTools discovered that domain names associated with COVID-19 and Coronavirus have spiked in the past few weeks, and many of those domains are considered malicious. One that caught their eye was a website that offers a real-time coronavirus outbreak tracker as an Android app.

The app says that it offers many features like a heat map and other statistical data about COVID-19, but this app is instead ransomware. When downloading the app, it will ask for administrative access promising that this will allow certain types of information. If the app is given administrative access, it is given the opportunity to lock up all contacts, pictures, videos, and social media accounts unless their ransom is paid in Bitcoin. If the ransom is not paid, the attacker threatens to release all private information publicly and erase the phone's memory.

DomainTools offers tips on how to better protect against ransomware and other malware that tries to capitalize on coronavirus. They first state to be sure to only use trusted information sources from the government and research websites, and not to click on anything health related in your emails. Next they ask Android users to ensure that they download apps from the Google Play store, as third-party stores have a much higher risk of downloading malware.

For more information, please check out:

https://www.domaintools.com/resources/blog/covidlock-mobile-coronavirus-tracking-app-coughs-up-ransomware

https://www.us-cert.gov/Ransomware

Tripwire has released an article warning of these COVID19-related phishing scams. This article can be found at this link: https://www.tripwire.com/state-of-security/security-awareness/covid-19-scam-roundup-may-11-2020/

(Fake) Work From Home Offers

PhishLabs discovered a phishing email attack aiming to entice people laid off due to COVID-19 with a work from home opportunity. The one email they found offered $5000 a month for a fake position. If the reader replies, they are asked for personal and financial information and will be given a more detailed job description involving transfering money through the readers accounts. The malicious actors might not only steal money from the readers account, but also could use the reader as a money mule meaning that they could be held liable for the stolen money that passes through their account. 

(Fake) IRS Page

Researchers at SecureWorks discovered malicious actors targeting readers with a phishing page designed to look like a tax form given by the IRS. The attack is believed to be distributed through email attacks, and the goal of this attack is stealing the readers tax information. Once the malicious actor has the information, they can then impersonate the reader on the official IRS tax form meaning that they will collect not only their tax return but their stimulus checks as well.

Impersonating Institute of CPAs

The Microsoft Security Intelligence team discovered that some digital attackers were using COVID-19 themed attack campaigns to distribute malware. One example they found showed a malicious actor impersonating the Institute of CPAs. In their emails they were claiming to be delivering COVID-19 related updates to its members as well as containing a ZIP file. The file is instead an executable that will allow the malicious actor to take control of the affected machine.

Email Attacks

Tripwire has released an article warning of these COVID-19 related email scams. The article can be found at this link: https://www.tripwire.com/state-of-security/security-awareness/covid-19-scam-roundup-may-4-2020/

(FAKE) Failed Delivery Notice

They report on a finding from Kaspersky Labs, where they warn of a spam email campaign informing recipients that a delivery attempt had failed because their shipment details were incorrect and the reader needs to update their details. An image of a receipt is included in the message.  The receipt is too small to read easily, so the recipient will probably click on it for a better look. Clicking on the attachment will load spyware onto the user's device.

(FAKE) Donation to WHO

A malicious actor sent out emails urging recipients to consider donating to the World Health Organization. The email has a from address of “support@covid-19[.]world” and includes a link at the bottom saying “Help Us Fight”.  Clicking the link will take the reader to a malicious domain help-who[.]com. For readers to donate they must click on the embedded link which allows the malicious actors to steal the reader’s payment information.

(FAKE) Update to Family and Medical Leave Act

Finally the article reports that IBM X-Force discovered a phishing email campaign that seemed to be from the US Department of Labor. The email states they have made changes to the “Family and Medical Leave of Act” as a result of COVID-19. This email then asks readers to review the attached word document. The attachment will install malware which puts the reader’s computer under the control of a botnet.

The UMBC Division of Information Technology received notification of a new job scam variant on 08may2020.  The subject is: UMBC COVID-19 INFORMATION

From: Koyepes Michael <michaelkoyepes199@gmail.com>

Date: Fri, May 8, 2020 at 9:54 AM

Subject: UMBC COVID-19 INFORMATION

Dear students,

University of Maryland, Baltimore County health professionals have been closely monitoring the spread of COVID-19 over the past two months.Therefore the university is organizing an online part time job to sustain the students living.I'm happy to inform you that our reputable company CORESTAFF SERVICES Inc®,is currently running a student empowerment program.

    KINDLY EMAIL BACK WITH YOUR  PERSONAL EMAIL ADDRESS IF INTERESTED IN THIS JOB POSITION.

Kind Regards

Koyepes Michael

HR Manager/Consultant

CORESTAFF SERVICES Inc®

This is a scam!  DO NOT REPLY TO IT!

A reply confirms that your UMBC email address is active.  That is an invitation to get more spam.  You are also asked to provide your personal address.  That’s two addresses for spamming.   You may then be asked to fill out a form with personal information which can then be added to your email address.  That means, at least, that the spam can be targeted to you.  If you provide information such as your birthdate, address, or social security number, the information can also be used for identity theft.  

Even if you are tempted to send the scammer a hostile, insulting message,

DO NOT REPLY!

You will not hurt the scammer’s feelings.  You will simply provide information about yourself directly or indirectly.

E-mail fraud is in the rise. The Division of Information Technology is tracking it. If you get suspicious email, please forward it to security@umbc.edu. If you are not sure whether it is suspicious, forward it anyway. We will investigate it and get back to you.