From bmccrary at osrhe.edu Mon Apr 3 12:24:03 2017 From: bmccrary at osrhe.edu (McCrary, Barbara) Date: Mon, 3 Apr 2017 17:24:03 +0000 Subject: [CyberSecurity] Important - very mature ransomware malware circulating - please alert your campuses Message-ID: <11DA9FF21E49954C8158B1AC109F8FC75200C396@Bellini.lan.ogslp.org> All A phishing campaign against .edu and other non-profit organizations is underway. The email looks different every time, but they all have the characteristics of this one. These emails contain ransomware and your users should be alerted as strongly and often as you can about this. It looks like: Subject: Good afternoon Howdy I visited your website yesterday.. I'm currently looking for employment either full time or as a intern to get experience in the job fiield. Please review my CV and let me know what you think. Respectfully yours, -- Sherrie Hart This one has a malicious attachment named CV.doc. This ransomware is called Cerber and here is what MBAM says about it. https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/ The phishing emails even though they may be different somewhat they resemble this one and have an attachment. When the user opens the email it infects the pc and possibly network shares with ransomware. Please warn your users and take all necessary precautions to protect your assets. Best, Barbara McCrary ______________________________________________________________________________________________________________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From bmccrary at osrhe.edu Mon Apr 10 09:50:09 2017 From: bmccrary at osrhe.edu (McCrary, Barbara) Date: Mon, 10 Apr 2017 14:50:09 +0000 Subject: [CyberSecurity] Increased Levels of Data Breaches Driven by W-2 Phishing Scam Message-ID: <11DA9FF21E49954C8158B1AC109F8FC75201464E@Bellini.lan.ogslp.org> Thank you for being a part of OneNet's cybersecurity listserv. Please share our listserv information with those in your organization who can benefit by receiving this information. Just have them subscribe by sending their request to communications at onenet.net . If you have cybersecurity information to share with the OneNet community, please do not hesitate to post by sending your responses or posts to cybersecurity at lists.onenet.net. The following information is from the MS-ISAC on W-2 phishing scams and Business Email Compromise scams. It is especially important for our K12 schools. Due to the substantial increase in W-2 phishing scams, the number of reported data breaches in the first quarter of 2017 already exceeds 80 percent of the total number of data breaches reported in 2016. Based on the 2016 pattern, the MS-ISAC expects that this scam will decrease in frequency but continue to occasionally target state, local, tribal and territorial (SLTT) governments after April 2017. * In 2016, the MS-ISAC identified 68 data breaches, seven of which were related to the W-2 phishing scam. * In the first quarter of 2017, the MS-ISAC has already identified 55 data breaches, 37 of which were related to the W-2 phishing scam. Of note, K12 schools accounted for 54 percent of reported phishing-related data breaches in 2017 to date. The MS-ISAC has identified several other variants of BEC scams targeting SLTT including the variant where the impersonated or compromised senior executive account requests that a wire transfer be issued. These variants do not result in data breaches, but are worth noting as any training or awareness activities should include the wire transfer variant. Key indicators of BEC scams include short poorly written messages purportedly from smartphones, spoofed email addresses, requests made when the executive is out of the office, and unusual requests. Best, Barbara McCrary ______________________________________________________________________________________________________________________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: