This morning DoIT has received several reports of a password change scam that has been going around campus:

From:  ti93943@wildblue.net
    Date: Wednesday, May 6, 2020 9:45 AM
    Subject: Password Notification
    To: < @umbc.edu>
--
    
    Dear Member,
    
    Your UMBC webmail password will expire today.
    
    Visit the maintenance portal below to automatically renew your
    university password.
    
    https://forms.office.com/Pages/ResponsePage.aspx?id=xxxxxxxxxxxxxxxxxxxxxxx
    
    IT Helpdesk | University of Maryland, Baltimore County.
    

Last week DoIT received several notifications of yet another part-time job scam arriving at email inboxes on our virtual campus.  The To: field has been removed from the example for reasons of privacy.

Over 200 members of the UMBC community received this particular message.  One of the reports also noted that a similar scam naming Corestaff Services appeared in 2018 in accounts at Brown University.  Brown posted a very detailed analysis of the message at: https://it.brown.edu/alerts/read/corestaff-phishing-email-anatomy-scam.

While this message doesn’t share all the issues of the one that went to Brown, it does raise some questions.

• Why would the message come from a gmail account rather than a corporate domain like corestaff.com?

• What kind of professional HR Manager uses an account called ‘blueeyedwelch’?

• Why do they want your alternate email address before they tell you anything else about the job?  They obviously have your UMBC address already.

• Why is there no web link or phone number for Corestaff Services anywhere in the message?

• “PART-TIME” and “PART TIME” will not set off your spell-checker.  “PARTTIME” is not a word.

When you get a message you were not expecting that asks you to provide information, please remember that all information has value. Even the simple fact that you are reading the email sent to your UMBC address has value.  If you send a response, even an angry or insulting one, you are giving the sender something of value.

Read once, think twice.  If you are unsure, please forward the message to security@umbc.edu.  It always helps if you include the headers, too. 

How do I forward full email headers?

(https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970)

A group called FIN7 has been using a novel method to target victims.  The attack is delivered through USPS mail, the kind that’s delivered into the real mailbox. 

The target gets a package in the postal mail containing a message that appears to be from Best Buy.  The package contains a letter thanking the victim for being such a good customer, a gift card and/or a teddy bear, and a USB stick supposedly containing a list of special gift items.  When the target inserts the USB into a Windows computer, a message pops up saying that the USB device has malfunctioned. The target may then take the stick out, throw it away, and play with the teddy bear.  By the time the device has been removed, it’s too late. This stick actually contains a USB keyboard emulator and has been injecting commands into the system. The computer has already downloaded a malicious script that is gathering information about the computer to send back through the Internet to its controller.  The script then also downloads more malware. 

This attack, unlike most purely IT-based attacks, costs the attackers some money for postage, USB camouflaged keyboards, gift cards, and teddy bears.  The FIN7 group has historically been attacking the commercial industries, so some investment is worth the chance of success.  

While it seems unlikely that UMBC will be a target, please do not use any USB stick, or anything that looks like a USB stick, unless you trust the source.  The best source is an unopened package that you bought yourself.

If you receive any USB devices that you are suspicious of or have any questions about strange computer related activity, please contact us at security@umbc.edu.

Links for more information:

• https://securityaffairs.co/wordpress/100661/cyber-crime/fin7-usb-teddy-bears-attacks.html

• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/

On Monday, 4/13/2020, DoIT was notified by several members of the UMBC community about an e-mail message impersonating Dr. Scott Casper, Dean of the College of Arts, Humanities, and Social Sciences.  The messages appear to have been sent on 4/12/2020.

Investigation revealed that this message went to approximately 60 recipients. Based on the recipients, we suspect that the scammer collected email addresses and identifying information about Dr. Casper (e.g. Title, Photo, etc.) from the CAHSS website.  Then the scammer selected specific departments from that website and collected more addresses. Since there are still a lot of people in the College who have not received these messages, we request that people be alert when receiving strange-looking messages through e-mail or text.

The message appeared to be from Scott E Casper <casper.umbc@gmail.com>.

This is not actually a UMBC address, since it ends in “@gmail.com”, but a quick glance might not make the distinction.  At least one message had a Date field of Date: Sun, 12 Apr 2020 21:12:09 +0100. The timezone GMT+0100 is currently in Western and Central Europe and Western Africa, which is also suspicious.

The subject of the message was: Quick Request and the message itself was brief and vague: 

Available?

--

Scott E. Casper

Dean

Professor, History

College of Arts, Humanities, and Social Sciences

In two reported cases in which the recipients responded, they were asked to go to a grocery store and purchase E-bay gift cards.  One recipient received the request as a text message after providing a phone number. The text was sent from 585-532-5939.

A scam message (see below) was sent to about 80 UMBC email addresses on 4/15/2020.  It’s a variation of a scam job offer we saw a few months ago.  

It is NOT from Cisco Systems.  If you respond positively, you will get forms to fill in with lots of your personal and financial information which can be used to rip you off more effectively later.

Replying with a hostile response only lets them know they have a valid, active email address.  Don’t try to hurt their feelings. They really don’t care. This is a business to them. 

Cisco Systems may offer you a job someday, but this isn’t it.

The Division of Information Technology wants to know about suspicious job offers in order to warn the UMBC community.   Please report any offers like this by forwarding them to: security@umbc.edu. 

From: Candice Terrence <terrencandice@gmail.com>

Date: Wed, Apr 15, 2020 at 2:28 PM

Subject: WORK FROM HOME

To: 

Dear Student,

   We got your contact through your school database and I'm happy to inform you that our reputable company CISCO Systems® is currently running a student empowerment program. This program is completely school-oriented as it has been designed not to deter you from school and other activities which are before you and this organization. You are selected from your school database to partake in the ongoing program. This offer is a PART-TIME position accompanied by attractive weekly wages among all others and reasonable working hours per week.

TO PROCEED WITH THIS JOB OFFER, KINDLY REPLY THIS MAIL WITH YOUR PERSONAL E-MAIL ADDRESS TO RECEIVE THE FULL JOB DESCRIPTION/OFFER FOR THIS OPEN JOB POSITION

Best Regards,

Candice Terrence

HR Recruit Manager/Consultant

CISCO Systems®.

Yesterday morning, between 8:45am and 10:00am, several UMBC users received DocuSign messages offering access to a document called “News Update.pdf” with a button labeled “View Document Now”.  

The From address of the email “dse_docusign2@docusign.umbc.edu” was forged.  This message did not originate from the UMBC’s DocuSign system.  It is, however, an unusually good design for a phishing attack.

In the current work climate, it is easy to overlook unusual features of messages we get in our UMBC email inboxes.  We are also using tools, like Docusign, more than ever. There are people who will try to take advantage of that. While the source of this message is currently under investigation, DoIT wanted to share some of the key features of this message that raise suspicions about its origin.

Example of Malicious DocuSign Forgery:

In the example above there are some tell-tale signs that should raise suspicions.  

• The message begins with the salutation “DocuSign,” and is from “The DocuSign Team”.  They seem to be addressing themselves.

• There is no “DocuSign Team”.  DocuSign notifications are from UMBC staff.

• The From: header in the upper left says “dse_docusign2@docusign.umbc.edu”.  In an actual docusign message, that header would be something like “Andy Johnston via DocuSign <dse_na2@docusign.net>”

• DocuSign message subjects normally start with the words “Please DocuSign”.  This one does not.

• The point of DocuSign is to be able to verify, by signing, that you have received a document.  There is no reason to do that for a news update. UMBC News is sent out in regular email messages.

Did You Click on the Button?

If you are one of the people who got this message and clicked on the button, you should have gotten this message: