Educause Security Discussion mailing list archives

Re: [EXT]: Re: [SECURITY] Danger from recent BEC attacks

From: "Sosnin, Josh" <Josh.Sosnin () ELLUCIAN COM>
Date: Thu, 4 Oct 2018 13:20:39 +0000

If you are not already using some type of banner and/or modification to the subject to show an email originated from an 
outside source, I strongly recommend you consider the addition.  It provides an anchor for education and a valuable 
reminder.

--
Josh Sosnin | VP and CISO | ellucian | 215.779.1323 (m) | www.ellucian.com<http://www.ellucian.com/>
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the 
sender and delete this email from your system. Thank you.


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Henderson, 
Daniel C." <dchenderson () CCIS EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, October 4, 2018 at 9:11 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXT]: Re: [SECURITY] Danger from recent BEC attacks

**External Email**
We had the same issues happen a few months ago. The attackers appear to have been harvesting emails that are publicly 
accessible for their first phishing email attempts.
From our observations, the phish seemed to work better when users were on their mobile device and not their 
workstation. We use Knowbe4 in training users, but most the training revolves around what a phish would look like on a 
desktop computer. When a user sees the email come in over mobile they don’t always know how to see if the true email 
address is legit or not and no hoovering over the URLs to see if the link goes to the proper place.


Caine Henderson
Director Enterprise Information Systems/ Infosec
Columbia College
573-875-4608




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Steven Alexander
Sent: Wednesday, October 3, 2018 6:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Danger from recent BEC attacks

We’ve seen the same scam.  They phish credentials, set up email filters, and change direct deposit.  I’ve talked to 
another college who ran into the same thing.

Steven Alexander
Director of IT Security
Kern Community College District

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Curt Kappenman
Sent: Wednesday, October 3, 2018 12:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Danger from recent BEC attacks

All,
   I am sending this out as a notice of an issue related to some recent BEC campaigns focused on our institution.  The 
malicious actors seem to be after user credentials so that they can spoof the user to make changes to their direct 
deposit information and highjack payroll.  We have had a few user fall prey to these attacks and the malicious actors 
inserted email rules so the user would not see the traffic and they then corresponded with the business office to 
change direct deposit info.  All of this traffic appeared to be the user because it transpired on their institutional 
email address.
  This was caught when the user inquired about missed deposits.  Just giving everyone a heads up if this is happening 
on your campus.

Curt Kappenman
Security Compliance Officer / Systems Technician

[cid:image002.png@01CE928D.7FDE1D30]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.andersonuniversity.edu%2Fit.aspx&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7Ce11d4318499b40eaf12608d629fad918%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636742554719938522&sdata=qQwAds0gh%2BxLUOLrNXqsO21u9Rxl8jnsgGF%2B7YFr8W4%3D&reserved=0>
316 Boulevard, Anderson, SC 29621
Phone: (864) 231-2850
Help Desk: (864) 231-2457
ckappenman () andersonuniversity edu<mailto:ckappenman () andersonuniversity edu>
www.andersonuniversity.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.andersonuniversity.edu%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7Ce11d4318499b40eaf12608d629fad918%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636742554719948534&sdata=TjKarwIoxS0izl92L%2BeRjzutffAoTiGkGvjWtQbMHAo%3D&reserved=0>

Note: This message contains information which may be confidential and privileged. Unless you are the addressee (or 
authorized to receive for the addressee), you may not use, copy or disclose to anyone this message or any information 
contained in this message. If you have received this message in error, please advise the sender by replying to 
ckappenman () andersonuniversity edu<mailto:ckappenman () andersonuniversity edu>, and delete the message. Thank you 
for your cooperation in this matter.

Current thread:

Danger from recent BEC attacks Curt Kappenman (Oct 03)
- Re: Danger from recent BEC attacks Steven Alexander (Oct 03)
  - Re: Danger from recent BEC attacks Boyd, Daniel (Oct 04)
  - Re: Danger from recent BEC attacks Boyd, Daniel (Oct 04)
  - Re: Danger from recent BEC attacks Henderson, Daniel C. (Oct 04)
    - Re: [EXT]: Re: [SECURITY] Danger from recent BEC attacks Sosnin, Josh (Oct 04)
    - Re: [EXT]: Re: [SECURITY] Danger from recent BEC attacks Mara Hancock (Oct 04)