August 29, 2024
August 8, 2024
June 13, 2024
May 9, 2024
March 28, 2024
September 21, 2023
August 24, 2023
July, 27, 2023
July 20, 2023
June 29, 2023
June 22, 2023
May 18, 2023
May 11, 2023
May 10, 2023
April 20, 2023
The NJCCIC received reports of a spearphishing campaign targeting the education subsector and masquerading as New Jersey State Compliance training. Observed activity correlates with blocked emails sent to New Jersey State employees and similar reports to State Fusion Centers across the United States. In one of the campaigns, a compromised email account of a school district employee was used to send fraudulent training compliance notifications. In attempts to appear legitimate and authoritative, the body of the email contained a signature block that included “The office of Equal Opportunity and Access and Ethics Office,” which is the incorrect New Jersey division title of The Office of Equal Employment Opportunity, Affirmative Action (EEO/AA).
The email contains additional red flags and typical verbiage to instill a sense of urgency and fear if the recipient does not comply with the requested action. The email text claims that the training must be completed within 24 hours, further stating that failure to complete the training may result in administrative fines, disciplinary action, and reporting to the applicable state agency. In one example, the email states that the non-descript employee must complete the training defined in the Mandatory Training Policy 3364-25-127, an Ohio administrative code. All included links directed the user to a now-defunct website, vvv[.]geopolisgis[.]gr/admin/video/subUrban_Planning/bid/login[.]php, limiting analysis of intent.
The NJCCIC advises against clicking on links in unexpected emails from unverified senders. Users are urged to confirm unusual requests to complete training with your organization’s compliance officer or HR representative. Additionally, users are encouraged to verify a website’s validity before entering account information and remain cautious even if messages claim to come from legitimate sources. If account credentials are submitted on a fraudulent website, users are advised to change their password, enable multi-factor authentication (MFA), and notify IT security personnel. Phishing emails and other malicious cyber activity can be reported to the NJCCIC and the FBI’s IC3.
March 16, 2023
March 9, 2023
December 15, 2022
November 10, 2022
September 22, 2022
August 25, 2022
June 9, 2022
June 2, 2022
March 11, 2022
February 4, 2022
Document - Protecting Your myNewJersey Accounts
January 20, 2022
January 11, 2022
January 5, 2022
October 21, 2021
October 12, 2021
September 30, 2021
Image Source: Malwarebytes
Threat actors are spoofing real phones numbers of trusted entities to send convincing and urgent security alerts via SMS text messages. For example, a fraudulent Uber security alert is sent spoofing Uber’s real phone number and, therefore, appears in the same conversation thread as the previous, legitimate Uber messages. A link sent in the message includes the word “uber;” however, the domain name was only recently created, is hosted in a different country, and is not the official Uber domain name uber[.]com. To reset the password, the link directs the user to a fraudulent site containing convincing Uber branding and several pages to navigate through to verify one’s identity and enter both personal and financial information, including credit card and bank account details. Once information is entered, the user is redirected to the real Uber website without actually verifying their identity.
The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from clicking links delivered in SMS text messages and, instead, navigate directly to the official corresponding website. If you are unsure of the legitimacy of the message, contact the sender via a separate means of communication—by phone or in person—before taking any action. Additional details of this scam can be found in the Malwarebytes blog post. For additional information and recommendations, please review the NJCCIC Products, Increase in SMS Text Phishing and Impersonation Scams.
September 2, 2021
August 12, 2021
August 5, 2021
Published September 2020
May 5, 2020
January 21, 2020
November 19, 2019
The NJCCIC continues to observe phishing campaigns attempting to steal credentials associated with online business services, including DocuSign, Amazon, and LinkedIn. These phishing emails contain HTML attachments or URLs leading to fraudulent account login pages designed to steal users’ login credentials. DocuSign phishing emails direct users to a site that prompts them to log in in order to view a protected document. Amazon and LinkedIn phishing emails request users to update their account information by directing them to fraudulent login pages. Stolen Amazon credentials can be used to make fraudulent purchases, while LinkedIn credentials can be used to access or contact a user’s connections. In all cases of credential theft, stolen passwords can be used in credential stuffing attacks that attempt to gain access to user accounts.
The NJCCIC recommends users refrain from clicking on links or opening attachments delivered with unexpected or unsolicited emails, including those from known senders. Users are advised to, instead, navigate to websites by manually typing the URL into the address bar of their browser. If credential compromise is suspected, users are advised to change credentials across all accounts that used the same login information and enable multi-factor authentication where available. Password reuse is highly discouraged.
June 27, 2019
The NJCCIC has received reports of a conversation hijacking campaign distributed via spoofed email messages attempting to deliver theQbot banking trojan. These spoofed email messages appear to be replies to previous legitimate email conversations and contain OneDrive URLs linking to maliciousZIP files embedded with Visual Basic Script (VBScript). If executed, these files will download and install Qbot. Common subject lines associated with this campaign begin with “RE:” and include references to changes, updates, confirmations, and named individuals. Threat actors use highly-customized phishing techniques and realistic-looking email signatures to gain the target’s trust and trick them into downloading the malware. Qbot monitors the browsing activity of infected computers, records information from financial websites, and supports polymorphic capabilities, allowing it to self-mutate as it moves inside a network. Qbot may download files and exfiltrate other sensitive information including passwords from an infected system.
The NJCCIC recommends educating users about this and similar phishing threats, reminding them never to click on links or open attachments delivered in unexpected or unsolicited emails. Users are advised to run updated anti-virus/anti-malware programs on all devices and enable multi-factor authentication where available to prevent account compromise as a result of credential theft.
May 27, 2019
NJCCIC reports a new phishing campaign that claims to come from the “Office 365 Team”. The email warns the user that their account is going to be deleted unless the request is cancelled within the hour. This new campaign employs the old tactic of creating a sense of urgency to convince users to take risky actions, such as clicking on a link in an unexpected email. Once clicked, the link directs the user to a fraudulent Microsoft Office Support Account Update page that prompts the user to sign into their account in order to cancel the request. Once the user’s credentials are entered and submitted, they are sent to the threat actors and the user is redirected to a landing page with a “thanks!” message. The login and other landing pages were created using Excel Online. As always, if you have concerns with a message, report it to the Help Desk using spamFREEHUDSONCOUNTYCOMMUNITYCOLLEGE or call. If you have clicked on a link in this email, contact the Help Desk.