NJCCIC Weekly Bulletin | November 21, 2018

To view this email as a web page, go here.
THE WEEKLY BULLETIN
November 21, 2018
TLP: WHITE

Garden State Cyber Threat Highlights

Providing our members with a weekly insight into the threats and malicious activity directly targeting New Jersey networks.

Beware of Thanksgiving-Themed Scams Attempting to
Gobble Gobble Up Your Bank Account

Emotet Campaign Message. Image Source: Proofpoint
The NJCCIC is warning members of various Thanksgiving Day-related scams targeting New Jersey residents and agencies. In recent reports, spoofed emails were sent appearing to originate from legitimate organizations and contained the subject line “Thanksgiving eCard.” Additionally, an Emotet banking trojan campaign was observed using Thanksgiving lures, such as the subject lines “Happy Thanksgiving Day Greeting Message” and “Thanksgiving Day Card. As malicious actors commonly leverage public interest during the holiday season to conduct financial fraud and disseminate malware, we recommend exercising caution with unexpected or unsolicited emails, especially those with a Thanksgiving Day theme. The NJCCIC recommends informing coworkers, friends, family, and neighbors – especially senior citizens – about these types of scams to prevent further victimization. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action.

Extortion Campaigns Rampant Throughout the State

The NJCCIC has observed a noticeable increase in incident reports submitted by individuals throughout New Jersey who were targeted with emails meant to extort them out of thousands of dollars. Extortion scams have been around for years; however, recent techniques serve to convince victims of their legitimacy. In initial reports, perpetrators sent emails to victims claiming they compromised the user’s computer and used their webcam to record them visiting adult content websites. The perpetrator then demands that a large ransom payment in the form of bitcoin be sent within a set timeframe or they will release the video to their contacts. To convince victims of the email’s validity, the perpetrators include one of the victim’s legitimate passwords. These passwords were likely taken from previous breaches in which this information was exposed and not as a result of compromising the recipient’s device. Shortly after the emergence of this campaign, additional extortion scams began targeting users with phishing emails that included the user’s partial phone number or that appeared to come from the recipient’s own email account. Both of these campaigns also claimed to have compromised the recipient’s device or email account and demand a ransom payment be made in bitcoin. It is important to note that the perpetrators of these scams have not actually compromised users’ accounts or devices, but are believed to be leveraging past data breaches or employing spoofing to make their threats appear credible. The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization. Additionally, organizations are advised to implement Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to help detect and prevent email spoofing. Cyber incidents may be reported to the NJCCIC via our incident reporting page and to the FBI’s Internet Crime Complaint Center (IC3) via their website.
Announcement
 

Stay Cyber Safe this Holiday Season

The holiday shopping season is one of the most attractive times of the year for cyber criminals and scammers to take advantage of eager shoppers. The NJCCIC has compiled a list of common scams, tips, and best practices to assist all of our members in staying safe while shopping in stores and online. The NJCCIC recommends our members review the latest Be Sure to Secure post here to reduce risk and keep personal and financial information secure this holiday season.
Threat Alerts
 

Tech-Support Scam Threatens Facebook Account is Hacked

A newly discovered tech-support scam tricks victims into contacting a fraudulent Facebook Support Team by claiming their account may be hacked. This scheme utilizes Facebook’s Sharer dialog, commonly used by website owners to distribute content on Facebook, to display a warning that informs users of suspicious activity observed on their page. The message then directs victims to contact the Facebook Support Team via phone in order to restore access to their account. If users call the provided number, they are connected with a representative posing as “Facebook Support” who requests to remotely connect to the caller’s computer. The NJCCIC recommends never granting remote access at the request of an unsolicited pop-up message or notification on your computer. If you have installed remote access software onto your system at the request of these or other malicious actors, we recommend uninstalling it immediately and performing a full system scan using a reputable and up-to-date anti-virus/anti-malware solution. Users who may have been affected by this scam are also advised to proactively monitor accounts for suspicious activity.

Suspected APT29 Phishing Campaign Targets Multiple Industries

DOS Decoy Document. Image Source: FireEye
According to analysis by cybersecurity firm FireEye, a recent phishing campaign targeting multiple government and critical infrastructure sector entities may be attributed to APT29, a known advanced persistent threat group. First detected on November 14, the phishing emails appear to come from a public affairs official at the US Department of State (DOS) and include a link to a ZIP archive containing a malicious Windows shortcut file that delivers the Cobalt Strike Beacon backdoor and a US DOS decoy document. The actors are believed to have compromised the email server of a hospital and the website of a consulting firm to use as their infrastructure for sending the phishing emails. Targeted industries include defense contractors, imagery, law enforcement, media, national government, pharmaceuticals, think tanks, transportation, and the US military. The NJCCIC recommends those that may be considered high-value targets for APT operations review the FireEye report for technical details; tactics, techniques, and procedures (TTPs); and associated indicators of compromise (IOCs). Organizations are advised to educate end users on this and similar threats; implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep anti-virus/anti-malware, hardware, and software updated.

AMP for WP Plugin Flaw Exploited to Install Backdoors
and Create Admin Accounts

WordPress developer Sybre Waaijer discovered a vulnerability in the AMP for WP WordPress plugin that could allow any user registered at the site to post comments to escalate privileges and gain administrative access, acquiring the ability to download and read files, upload files, update plugin settings, inject into posts, etc. The flaw exists due to inadequate security checks for administrative functions. Threat actors are currently conducting cross-site scripting (XSS) attacks targeting the flaw to install backdoors and create administrative accounts on vulnerable WordPress sites. The AMP for WP plugin is used to convert WordPress posts into Google’s Accelerated Mobile Pages format, allowing pages to load faster in mobile browsers. The NJCCIC recommends users of the AMP for WP plugin review the BleepingComputer article, and immediately update to 0.9.97.20 or later.
Vulnerability Advisory
 

Two Flaws in Gmail Could be used in Phishing Attacks

Software Developer Tim Cotten found two bugs in Gmail that could help attackers craft convincing phishing emails. The first, disclosed on November 13, allows an actor to place an arbitrary email address in the sender field. This could be used in email spoofing attacks to convince the end user that an email is coming from a trusted source. The second, disclosed on November 16, allows an actor to replace some text with a tag that causes the user interface to leave a blank space where the sender’s email address should be. This could be used to send phony account alerts to end users, prompting them to click on a malicious link or attachment. The NJCCIC recommends Gmail users review Cotten’s blog posts on these flaws, available here and here, and educate end users on this and similar phishing threats, reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails, including those from known senders.
Threat Profiles
 
Android: No new or updated variants were added.
BotnetNo new or updated botnets were added.
Cryptocurrency-Mining: No new or updated variants were added.
Exploit Kit: No new or updated exploit kits were added.
Industrial Control Systems: No new or updated variants were added.
iOS: No new or updated variants were added.
macOS: No new or updated variants were added.
Point-of-Sale: No new or updated variants were added.
Ransomware: Two updated variants: CrySiS, Matrix.
Trojan: One newCannon. One updated variant: TrickBot.
ICS-CERT Advisories
 
Patch Alerts
 
Throwback Thursday
 
Threat Analysis
Be Sure to Secure
Social Engineering Awareness
What Scams Shoppers Should Look Out For on Black Friday and Cyber Monday
Comment: The holiday shopping season is one of the most attractive times of the year for money-hungry criminals and fraudsters to take advantage of eager shoppers and unsuspecting victims. With Black Friday, Cyber Monday, and the rest of the holiday shopping season upon us, criminals have crafted a range of malicious apps designed to infect devices with malware and capture sensitive information. To reduce your risk of falling victim to these and similar schemes, exercise caution before downloading apps onto your device, even those available in official app stores, be sure to review the app’s ratings and reviews, and refrain from granting apps unnecessary permissions.
Cyber at a Glance
Notification Services Can Let You Know About Deliveries to Stem Package Pirates
Comment: Stealing packages from doorsteps has been a longtime tactic for criminals, especially during the holiday season. Many delivery services, including USPS, FedEx, Amazon, and UPS, offer delivery notifications that let users track purchases to get ahead of potential crooks. However, threat actors are exploiting the same services by supplying customer names and addresses to create fake accounts and intercept the notifications. In the case of USPS, users can either sign up for the service or request that no account be authorized to receive notifications for their address. The NJCCIC highly recommends keeping an eye on all your package deliveries this season and signing up for delivery alerts where available.
TLP: WHITE

Questions?

Email a Cyber Liaison Officer at njccic@cyber.nj.gov.
 
The Weekly Bulletin aggregates information about cyber threats, vulnerabilities, and other resources to promote shared awareness and the adoption of best practices. Designed for a general audience, the Bulletin aims to bridge the information sharing gaps between all levels of government, the private sector, and our citizens.

Connect
Twitter
Instagram
Facebook
LinkedIn

Share
Forward
Tweet
Share
Share

We respect your right to privacy - click here to view our policy.