Re: Unusual pattern of compromised accounts

["Arffa, Letheshia" <LARFFA () BENTLEY EDU>]

I have heard of this pattern of exploiting payroll and using Greendot.  Here are some patterns you should look for and 
if you can share the answers, I think others will be grateful.

1.      Have they compromised mail accounts and created mail filters?

2.      Have you determined if the break-ins were all from the same IP address? And was that IP address external?

3.      Do you use multi-factor authentication?  If not, here is your best opportunity to get it installed.

4.      Consider having direct deposit changes become authorized by payroll instead of self-serve.





Feel free to contact me off list if you have additional questions.


Tisha Arffa
Information Security Project Manager
Bentley University
175 Forest Street, Lindsay 15C
Waltham, MA 02452
Office 781-891-2150

www.bentley.edu<http://www.bentley.edu/>

[escription: Bentley_Master_EMAILSIG]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pollock, 
Joseph
Sent: Friday, January 26, 2018 4:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Unusual pattern of compromised accounts

Has anyone observed the following:


1.       A cluster of compromised accounts with no indication of a common factor such as clicking on a phishing link. 
Users have no idea how the compromise occurred.

2.      The culprits change the user's direct deposit authorization

3.      They may have been familiar with the Banner system.

4.      No other activity was observed.

We are looking for other indications,  such as compromised desktops,  but have found nothing as yet.

Please reply outside the list if you wish.

Joe Pollock
Network Services
The Evergreen State College