Educause Security Discussion mailing list archives

Re: [EXT]: Re: [SECURITY] Danger from recent BEC attacks

From: Mara Hancock <mhancock () CCA EDU>
Date: Thu, 4 Oct 2018 11:51:19 -0400

This happened at CCA a couple of years ago. We added multi-factor and put a
notification from our ERP on any bank-routing changes so  the individual
and payroll get notified when/if something nefarious occurs. Also Payroll
has a task when running payroll that will catch any changes and they can
notice patterns.

Best,
Mara Hancock

Sent from my iPhone

On Oct 4, 2018, at 6:20 AM, Sosnin, Josh <Josh.Sosnin () ellucian com> wrote:

If you are not already using some type of banner and/or modification to the
subject to show an email originated from an outside source, I strongly
recommend you consider the addition.  It provides an anchor for education
and a valuable reminder.



-- 

Josh Sosnin | VP and CISO | ellucian | 215.779.1323 (m) | www.ellucian.com

CONFIDENTIALITY: This email (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this email in error,
please notify the sender and delete this email from your system. Thank you.





*From: *The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Henderson, Daniel C." <
dchenderson () CCIS EDU>
*Reply-To: *The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Thursday, October 4, 2018 at 9:11 AM
*To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *[EXT]: Re: [SECURITY] Danger from recent BEC attacks



***External Email***

We had the same issues happen a few months ago. The attackers appear to
have been harvesting emails that are publicly accessible for their first
phishing email attempts.

From our observations, the phish seemed to work better when users were on

their mobile device and not their workstation. We use Knowbe4 in training
users, but most the training revolves around what a phish would look like
on a desktop computer. When a user sees the email come in over mobile they
don’t always know how to see if the true email address is legit or not and
no hoovering over the URLs to see if the link goes to the proper place.





Caine Henderson

Director Enterprise Information Systems/ Infosec

Columbia College

573-875-4608









*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Steven Alexander
*Sent:* Wednesday, October 3, 2018 6:09 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Danger from recent BEC attacks



We’ve seen the same scam.  They phish credentials, set up email filters,
and change direct deposit.  I’ve talked to another college who ran into the
same thing.



Steven Alexander

Director of IT Security

Kern Community College District



*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Curt Kappenman
*Sent:* Wednesday, October 3, 2018 12:38 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Danger from recent BEC attacks



All,

   I am sending this out as a notice of an issue related to some recent BEC
campaigns focused on our institution.  The malicious actors seem to be
after user credentials so that they can spoof the user to make changes to
their direct deposit information and highjack payroll.  We have had a few
user fall prey to these attacks and the malicious actors inserted email
rules so the user would not see the traffic and they then corresponded with
the business office to change direct deposit info.  All of this traffic
appeared to be the user because it transpired on their institutional email
address.

  This was caught when the user inquired about missed deposits.  Just
giving everyone a heads up if this is happening on your campus.



*Curt Kappenman*

*Security Compliance Officer / Systems Technician*



<image001.png>
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.andersonuniversity.edu%2Fit.aspx&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7Ce11d4318499b40eaf12608d629fad918%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636742554719938522&sdata=qQwAds0gh%2BxLUOLrNXqsO21u9Rxl8jnsgGF%2B7YFr8W4%3D&reserved=0>

316 Boulevard, Anderson, SC 29621

Phone: (864) 231-2850

Help Desk: (864) 231-2457

ckappenman () andersonuniversity edu

www.andersonuniversity.edu
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.andersonuniversity.edu%2F&data=02%7C01%7Cjosh.sosnin%40ELLUCIAN.COM%7Ce11d4318499b40eaf12608d629fad918%7Cba4f1b25f4f74403892553e24140459f%7C0%7C0%7C636742554719948534&sdata=TjKarwIoxS0izl92L%2BeRjzutffAoTiGkGvjWtQbMHAo%3D&reserved=0>



Note: This message contains information which may be confidential and
privileged. Unless you are the addressee (or authorized to receive for the
addressee), you may not use, copy or disclose to anyone this message or any
information contained in this message. If you have received this message in
error, please advise the sender by replying to*
ckappenman () andersonuniversity edu <ckappenman () andersonuniversity edu>*, and
delete the message. Thank you for your cooperation in this matter.

Current thread:

Danger from recent BEC attacks Curt Kappenman (Oct 03)
- Re: Danger from recent BEC attacks Steven Alexander (Oct 03)
  - Re: Danger from recent BEC attacks Boyd, Daniel (Oct 04)
  - Re: Danger from recent BEC attacks Boyd, Daniel (Oct 04)
  - Re: Danger from recent BEC attacks Henderson, Daniel C. (Oct 04)
    - Re: [EXT]: Re: [SECURITY] Danger from recent BEC attacks Sosnin, Josh (Oct 04)
    - Re: [EXT]: Re: [SECURITY] Danger from recent BEC attacks Mara Hancock (Oct 04)