Avoid Online Scams this Holiday Season!

The holidays are a time of large online spending. Approximately 60% of people in the U.S.A. prefer to buy their holiday gifts online. [1] Because so much of spending during the holiday season is done online, malicious people take the opportunity to scam and steal. That is why it is important to maintain a safe and cautious approach while online shopping.

Let's identify the different types of scams that you should keep an eye out for:

Fake online shops

As the retail rush ramps up, fake online stores pop up to prey on our desire for a bargain. Sometimes, these sites will be poorly designed, but the scammers are betting that, in the festive rush, enough people will be too distracted to be able to tell the difference between these sites and legitimate “pop-up” shops. When shopping on sites such as Amazon, be sure to check who the seller is. Not all items on Amazon are sold by Amazon. Some sellers may be third party or individual sellers, so be sure to check their reputation if the item is not sold by Amazon.
Tip: Look for online reviews and think about phoning the contact number. If there isn’t one, this could be a warning sign.

Charity phishing

Scammers know that many people feel charitable at this time of year and so they target your good will. They may send emails from a bogus charity or ones that purport to come from a legitimate charity but contain a link to a scam site.
Tip: If you want to give to good causes during the holidays, go through the charity in question’s own site.

Fake delivery emails

In the run-up to the holidays, many people have dozens of packages arriving and often lose track of what they’ve ordered. Scammers know this and send out emails that purport to come from legitimate courier companies. These ask recipients to click on a link. When they do, they download malware or are taken to a scam site.
Tip: Check the sender’s address to ensure it is a legitimate company and go to the company’s own website to track orders.

Wish list scams

Wish lists are a way for people to post what gifts they want online. However, these are often easy for anyone to view and, for a fraudster, can be a goldmine. Such lists often contain personal information and this makes the list owner vulnerable to identity theft. Cyber-criminals can also use items on the list for targeted phishing scams.
Tip: Ensure the privacy settings on any online lists are set to high.

E-voucher scams

These are often shared on social media or email and claim to offer free vouchers from well-known brands. Potential victims are told that, to claim a voucher, all they need to do is click on a link. This can take them to a fake site where they will be asked for their details.
Tip: Look out for poor grammar and, if in any doubt, check the voucher by emailing the shop.

Social media scams

Scammers use social media to tempt people with irresistibly good deals on goods such as electronics and jewelry. The social networks are also a place where links to phishing sites and malware can be widely shared. Scammers may even be “friends” of real friends of yours who say yes to every connection request.
Tip: The best defense here is not to click on links that look even remotely suspicious.



[1] Christmas Spending Statistics

Partially reposted from Six Scams to Look Out for this Christmas

Phishing Scam Currently Circulating

ITS is investigating a phishing scam that is currently circulating.  If you receive the message, please mark it as SPAM and do not click any links.  If you did click on any links in the message, please notify its@manhattan.edu immediately and follow these instructions to clean your account.

Below are the contents of the message:
Date: Tue, Dec 3, 2019 at 9:47 AM
Subject: We Disable your JasperNET
To:


If уоu оwn the аccоunt, уоu cаn гequeѕt аcceѕѕ tо it аgаin. уоuг аccоunt
will be гeаctivаted if уоu ѕign in belоw within 2 dауѕ

https://webauth.manhattan.edu/U?9495 <http://926.charbonneaucommunity.com/>
Yоu'll lоѕe аcceѕѕ tо аll оf уоuг dаtа аnd cоntent like уоuг emаilѕ аnd
emаil fоldeгѕ if уоu dо nоt гeаctivаte.

Scam Emails from "manhattan.edu@gmail.com" Accounts Today

We have received several reports of scam emails being sent to the campus community today from accounts ending in "manhattan.edu@gmail.com".  These are scams and should be disregarded.  Luckily, in all the reported incidents, community members quickly recognized it as a scam.  We appreciate these being reported and the vigilance that the community has shown today.

Example of how these emails look: john.doemanhattan.edu@gmail.com

Please continue to report suspicious emails at its@manhattan.edu

Don't click the link or any attachments.

Extortion emails incoming!

Please be aware that extortion emails that include a hacked password are being reported. These messages will use the subject line to catch your attention by including your username along with a hacked password.
The extortion message follows a template.

I do know blahblahpassword is your password. Lets get directly to the point. You do not know me and you're most likely thinking why you're getting this mail? None has paid me to check about you.
Well, I setup a software on the porn site and do you know what, you visited this site to have fun (you know what I mean). When you were viewing videos, your web browser began functioning as a Remote Desktop that has a keylogger which provided me accessibility to your screen and web cam. Just after that, my software obtained all your contacts from your Messenger, social networks, and email.
You have just two choices. Let us read these types of options in particulars:
Very first solution is to skip this message. In this case, I most certainly will send your very own video clip to almost all of your contacts and thus just think concerning the disgrace you will get. Moreover if you happen to be in a relationship, exactly how it is going to affect?
Second alternative will be to give me $7000. I will think of it as a donation. As a consequence, I most certainly will quickly discard your video footage. You could resume your daily life like this never occurred and you surely will never hear back again from me.
You will make the payment through Bitcoin (if you don't know this, search "how to buy bitcoin" in Google search engine).
Should you are planning on going to the cop, anyway, this email message can not be traced back to me. I have covered my actions. I am just not looking to charge a fee so much, I just want to be compensated. You have one day in order to make the payment. I've a unique pixel within this mail, and now I know that you have read this email message. If I do not receive the BitCoins, I will certainly send your video to all of your contacts including close relatives, colleagues, and so on. Nonetheless, if I receive the payment, I'll destroy the recording right away. If you need evidence, reply Yea and I will certainly send your video to your 7 contacts. It is a non-negotiable offer, therefore please do not waste my personal time & yours by responding to this email.

By including a valid password, the extortionist aims to establish legitimacy. A few of the details are technically possible such as an RDP attack or recording from the webcam.
If the extortionist had done any of this then, they would name the specific porn site or provide images from the webcam.
If you receive this message, please do the following:

• immediately change your password for any site where you used the hacked password;
• send its@manhattan.edu the extortion message including the full headers using these directions;
• and, sign up for data breach notifications at haveibeenpwned.com by clicking the "Notify me" link at the top of the page.

Additionally if you receive this type of message you can report it to the FBI using Internet Crime Complaint Center website.
Thankfully, this is appears to be an automated message using email addresses and hacked passwords. But if the extortionists were assiduous then, they would include pictures from social media accounts or from friends' social media accounts.
Sextortion is a horrible crime. The FBI's sextortion news page shows a sample of how awful it can be. If a loved one is a victim of sextortion please report it to the FBI 1-800-CALL-FBI (1-800-225-5324).

Money Wiring Scam Circulating Today

Please ignore the Money Wiring scam that circulated today.  The purpose of scams like these are simply to steal your hard earned money.   The scammer will hijack the account of someone you know or will make an email looking like it is someone you know.  The person will tell you a story of woe and about how you are the only one who can help by sending them money.

Here is the text of the email that circulated today:

"I am having such a frustrating ordeal right now. Am In Manila Philippines to see my cousin who has an inflamed gall bladder..She's having a surgery today, because her condition now is very serious.I really need to take care of this now but my credit card can't work here. I traveled with little money due to the short time I had to prepare for this trip and never expected things to be the way it is right now. I need a loan of $1,200  USD from you and I’ll reimburse you once I get back home, I promise! I will really appreciate whatever amount you can come up with, if not all get back to me. I'll advise on how to transfer it.

Please let me know if I can count on you.

Best regards,"

Phishing attacks on the Rise

Manhattan College ITS has seen a rising trend in the number and complexity of phishing attacks reported.  To raise awareness of this alarming trend, the following information is being reposted from the Google Online Security Blog.

A recent poll in the U.S. showed that more people are concerned about being hacked than having their house robbed. That’s why we continue to work hard to keep Google accounts secure. Our defenses keep most bad actors out, and we’ve reduced hijackings by more than 99% over the last few years.

We monitor many potential threats, from mass hijackings (typically used to send lots of spam) to state-sponsored attacks (highly targeted, often with political motivations).

This week, we’re releasing a study of another kind of threat we’ve dubbed “manual hijacking,” in which professional attackers spend considerable time exploiting a single victim’s account, often causing financial losses. Even though they’re rare—9 incidents per million users per day—they’re often severe, and studying this type of hijacker has helped us improve our defenses against all types of hijacking.

Manual hijackers often get into accounts through phishing: sending deceptive messages meant to trick you into handing over your username, password, and other personal info. For this study, we analyzed several sources of phishing messages and websites, observing both how hijackers operate and what sensitive information they seek out once they gain control of an account. Here are some of our findings:

• Simple but dangerous: Most of us think we’re too smart to fall for phishing, but our research found some fake websites worked a whopping 45% of the time. On average, people visiting the fake pages submitted their info 14% of the time, and even the most obviously fake sites still managed to deceive 3% of people. Considering that an attacker can send out millions of messages, these success rates are nothing to sneeze at.

• Quick and thorough: Around 20% of hijacked accounts are accessed within 30 minutes of a hacker obtaining the login info. Once they’ve broken into an account they want to exploit, hijackers spend more than 20 minutes inside, often changing the password to lock out the true owner, searching for other account details (like your bank, or social media accounts), and scamming new victims.

• Personalized and targeted: Hijackers then send phishing emails from the victim’s account to everyone in his or her address book. Since your friends and family think the email comes from you, these emails can be very effective. People in the contact list of hijacked accounts are 36 times more likely to be hijacked themselves. 

• Learning fast: Hijackers quickly change their tactics to adapt to new security measures. For example, after we started asking people to answer questions (like “which city do you login from most often?”) when logging in from a suspicious location or device, hijackers almost immediately started phishing for the answers.

We’ve used the findings from this study, along with our ongoing research efforts, to improve the many account security systems we have in place. But we can use your help too.

• Stay vigilant: Gmail blocks the vast majority of spam and phishing emails, but be wary of messages asking for login information or other personal data. Never reply to these messages; instead, report them to us. When in doubt, visit websites directly (not through a link in an email) to review or update account information.

• Get your account back fast: If your account is ever at risk, it’s important that we have a way to get in touch with you and confirm your ownership. That’s why we strongly recommend you provide a backup phone number or a secondary email address (but make sure that email account uses a strong password and is kept up to date so it’s not released due to inactivity).

• 2-step verification: Our free 2-step verification service provides an extra layer of security against all types of account hijacking. In addition to your password, you’ll use your phone to prove you’re really you. We also recently added an option to log in with a physical USB device.

Take a few minutes and visit the Secure Your Account page, where you can make sure we’ve got backup contact info for you and confirm that your other security settings are up to date.

Posted by Elie Bursztein, Anti-Abuse Research Lead

Reposted from the Google Online Security Blog:  http://googleonlinesecurity.blogspot.com/2014/11/behind-enemy-lines-in-our-war-against.html

Heartbleed Bug

The following is an update to the Manhattan College community regarding the recently discovered Heartbleed software bug - http://heartbleed.com/

ITS has been working with our software vendors to investigate our exposure to the recently identified Heartbleed bug that affects OpenSSL software - one of the most common cryptographic libraries used to secure Internet communications such as secure websites (via https://) and VPNs.

The majority of our "production" systems such as www.manhattan.edu, Banner, self-service, SSO, Moodle, etc were never vulnerable to the flaw based on the version of software installed on these systems.  Some "test" systems with limited access were vulnerable, but patched by Tuesday AM.  Additionally, ITS is taking preventative measures to update software and configurations on all systems running OpenSSL cryptographic software as a precaution.


What do I need to do?  Be aware of scams!

In the coming days, you may be notified by various services related to your social media, banking, or other accounts potentially affected by the Heartbleed bug.  Take these notifications seriously and consider changing your password on these services.   Currently, no action is required for your JasperNet account.  If this changes, the campus community will be notified.

Be aware of scams!  With the legitimate notices will come "phishing" scams from illegitimate sources asking for your username, password and/or other personal information.  ALWAYS verify the legitimacy of these types of messages and NEVER give your password or personal information unless you are certain that you are dealing with a trusted service.  Tips on how to avoid phishing scams can be found here:  http://www.phishing.org/scams/prevent-phishing/

Phishing Emails

This is a reminder that Manhattan College ITS will never ask you for your username and password. There is another round of Phishing Scams making their way around the internet.  We felt it would be a good time to remind people to be wary of these emails.

How to tell if the email is real or phishing:

• Is the email signed by a generic entity?  Can you truly identify specifically who the email is from?  Emails from Manhattan College ITS will typically be signed "Client Services" or "Manhattan College ITS".
• How is the email written?  Does the email contain grammar and spelling mistakes?
• Does the email seem legitimate?  Sometimes just reading the email, it feels funny in your gut.
• Does the email ask you for personal information?  Manhattan College ITS will not ask you for personal information via email.

Please use this information not only regarding your Manhattan College account, but also for your bank account and other personal account information.

If you receive any unsolicited email or phone call from an entity, including an entity you recognize, proceed with caution.  You best bet is almost always to hang up and then call the entity at a known number to verify the legitimacy of the communication that was made to you.  You're better off safe than sorry.

What should you do if you have fallen victim to a phishing scam?

Depending on the type of information that you provided the steps vary:

• If a username and password was provided, immediately log in and change your password.
• If personal account information (a bank account, credit card information, social security number, etc) immediately contact those institutions to let them know what happened.

If you receive an email identifying itself as Manhattan College ITS and you are not sure if it is real or not, feel free to forward the email to its@manhattan.edu for verification.

Phishing Scams

We have received a couple of reports of phishing scam emails being received by users on campus today.  Remember that ITS will never ask you for your username or password.  Emails asking you for such information are fraudulent and should be deleted.  If you did submit your password information to one of these emails it is recommended that you change your password as quickly as possible.

Beware of Phishing Scams

It was brought to the attention of ITS by multiple employees yesterday that a phishing scam email was circulating.  A phishing scam is when the email tries to scare you into clicking a malicious link by telling you that your account will be disabled or you will run out of space if you do not take action.

If you ever recieve an email such as this you should carefully consider it's validity before taking any action.  The appropriate course of action is to contact the valid entity via a valid form of communication.  In the case of Manhattan College ITS this would be to either call x7973 or email its@manhattan.edu and inform them that you received such an email.  Remember that Manhattan College ITS will never ask you for your username and password.  Whenever any entity asks you for any personal information always take caution before revealing such information.  In emails always take caution before clicking on any link.