Re: Fake Direct Deposit Forms

["Manjak, Martin" <mmanjak () ALBANY EDU>]

Toni,

Thanks for the ProofPoint reference. It certainly lends urgency to our deliberations over when to pull the plug on 
legacy email protocols.

Marty Manjak
CISO
University at Albany

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Dickey, A. 
(Antoinette)
Sent: Tuesday, September 10, 2019 3:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fake Direct Deposit Forms

I checked with the manager of our Threat Intelligence team. He provided this information:

This article is from March, but the technique is as old as office 365 e-mail has been around, and google g suite too. 
https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols
 -

Legacy email access protocols are enabled by default and do not support MFA (IMAP protocol has no support for a second 
form of authentication).  Albany.edu has its email through office 365, so there is a chance this is how the bad guys 
got it.

Toni Dickey, CISA, CRISC
Sr. Security Specialist - Office of the CISO
Technology Risk & Security Management
Voya Financial(tm)
One Orange Way A4S, Windsor, CT 06095
Office: (860) 580-1997
Email: Antoinette.Dickey () voya com<mailto:Antoinette.Dickey () voya com>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Henderson, Daniel C.
Sent: Tuesday, September 10, 2019 02:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Fake Direct Deposit Forms

We have had these types of attacks occur off and on for the past few years. Our payroll office had to alter their 
processes to ensure none of the fake DD attempts were successful. The one and only time one went through, the bank 
account that the attacker had set up was already closed by the time we contacted the bank in California. We found that 
most the time an account was compromised by a phishing email that harvested user credentials, and the attacker used our 
portal to login and use fill out the proper form for a new DD location.

We have increased our security awareness training to try and prevent account compromises, with multiple phishing 
exercises yearly and knowbe4 training once a year. We have seen some success, but we know it won't be 100%. We would 
like to start using MFA to help in this effort as well, and hope to move towards some kind of MFA in the next few years.


Caine Henderson
Director of Cyber Security, Web Development, and Investigation
Columbia College
573-875-4608



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Manjak, Martin
Sent: Tuesday, September 10, 2019 11:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Fake Direct Deposit Forms

CAUTION!: This email originated from outside of Columbia College.
Ron,

You're not. We had an incident last week where an account was compromised and used to send the DD change request to our 
HR department. The fake check and form also referenced an American Express National Bank account. In our case, the A/C# 
was 6220124014299.

It was flagged because our form requires state assigned employee IDs, not SSN.


The emails were sourced from QuadraNet, Inc colocation centers in Atlanta, LA, and Huntsville.



The mystery we haven't solved yet is how the employee's email was compromised. No spam was sent, just the DD change 
request. They did set up an In box rule that marked any responses from HR as read and moved to the Delete folder to 
prevent the victim from being tipped off.

Marty Manjak
CISO
University at Albany

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of King, Ronald A.
Sent: Tuesday, September 10, 2019 11:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Fake Direct Deposit Forms

As an FYI, I have had three reports of fake Direct Deposit requests. Two of them included completed forms. The forms 
included the victims correct address and social. Both would have redirected full paychecks to American Express National 
Bank in Salt Lake City. Attached is an image of the electronic check. Given the size of the Equifax breach and the loss 
of the pertinent info, we cannot be the only institution seeing this.

Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
--------------------------------------------------------- NOTICE: The information contained in this electronic mail 
message is confidential and intended only for certain recipients. If you are not an intended recipient, you are hereby 
notified that any disclosure, reproduction, distribution or other use of this communication and any attachments is 
strictly prohibited. If you have received this communication in error, please notify the sender by reply transmission 
and delete the message without copying or disclosing it. 
============================================================================================

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community