Re: Fake Direct Deposit Forms

[Jesse Thompson <000000b6da97d697-dmarc-request () LISTSERV EDUCAUSE EDU>]

IMAP, POP and SMTP all can support MFA by means of OAuth.  Gmail supports it as a service provider, and at least 
Thunderbird and Apple Mail support it as email clients.  
https://en.wikipedia.org/wiki/Comparison_of_email_clients#Authentication_support (outdated, but gives you the gist)

It's in Microsoft's best market-dominance interest to coerce people into using Outlook, so they will likely never 
support OAuth with their "legacy" protocols.
 On the other hand, if you use non-federated authentication and Microsoft's MFA, they do support app passwords which 
can be used with "legacy" clients.  Again, it's in Microsoft's best market-dominance interest to coerce enterprises 
into authenticating directly to AAD and use Microsoft's MFA.

So, what do we do?  Options:

1) Convince faculty that common internet standards are worth killing because of Cybersecurity-based fear, uncertainty, 
and doubt.  Turn off "legacy" protocols, firewall your Shib ECP endpoint, turn off basic authentication on all 
mailboxes, buy AAD Premium P2, buy Conditional Access, stop giving accounts to alumni and emeritus (due to cost and 
risk), stop allowing forwarding (to stop users from fleeing towards functional email services), etc......

2) Split host your domain(s) with Gmail and let faculty and staff use Gmail if they want to use standards compliant 
email protocols that support MFA.  Google seems to be more supportive of internet standards (at this time).  So, you 
can hedge your bets and avoid vendor lock-in and security up-sells by adding complexity to your user experience and 
operational overhead.

3) Implement an application password solution with your Shib ECP endpoint similar to University of Arizona.  
https://meetings.internet2.edu/media/medialibrary/2017/10/06/20171016-windham-sso-office365.pdf

#3 seems like the most sensible option in my mind

#2 is a good option if you have a very large faculty/research contingent who adamantly refuse to use Microsoft over 
Google services

#1 is probably what most universities will end up doing because it's what Microsoft recommends

Hope this helps!

Jesse Thompson
Solutions Architect, Certified Ethical Hacker, M3AAWG member
University of Wisconsin-Madison

________________________________________
From: Jon Miner <jon.miner () wisc edu>
Sent: Wednesday, September 11, 2019 12:46 PM
To: Jesse Thompson
Subject: Fw: [SECURITY] Fake Direct Deposit Forms

I assume you're probably on the Educause Security list.

jon

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of David Escalante 
<david.escalante () BC EDU>
Sent: Wednesday, September 11, 2019 11:10
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Fake Direct Deposit Forms

I just want to take this opportunity to re-do my occasional rant about "modern authentication" and "legacy email 
protocols."

"Modern Authentication" is a term of art (cleverly) invented by Microsoft, as is "legacy email protocols."  Here's what 
DUO has to say about Modern Auth:

"Modern Authentication is the term Microsoft uses to refer to their implementation of the OAuth 2.0 authorization 
framework for client/server authentication. Modern Authentication leverages Active Directory Authentication Libraries 
(ADAL) to enable applications to support sign-in features like 2 factor authentication (2FA/MFA) and Smart card + 
Certificate-based Authentication." -- https://help.duo.com/s/article/4419?language=en_US

And here's what Microsoft has to say about it, from 2 days ago, with a list of supported clients:

"Modern Authentication enables Active Directory Authentication Library (ADAL)-based sign-in for Office client apps 
across different platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), smart card, and 
certificate-based authentication." -- 
https://docs.microsoft.com/en-us/office365/enterprise/office-365-client-support-modern-authentication

While it's quite true that IMAP and POP don't support MFA, "turning off legacy email protocols" is not going to work 
if, for example, you're not a Microsoft shop and are running a UNIX-based SMTP mail server, and it condemns your user 
base to using either browsers or Microsoft clients to reading email that can only be hosted on a Microsoft backend 
email system.  I'm not sure how that is either modern or good -- sounds like vendor lock-in to me.  (But it's great 
marketing by someone in Redmond.)

What I'd like to see is an industry-wide mail protocol that supports MFA that all the interesting mail clients 
competing against each other out there can use without dependencies on Microsoft products.  It's surely needed given 
the brute forces on POP and IMAP.  If there's already a spec for "Modern Authentication" such that it can be 
implemented by other vendors on both client and server, I'm not aware of it, please educate me!
--
David Escalante

Manjak, Martin wrote on 9/11/19 9:50 AM:
Toni,

Thanks for the ProofPoint reference. It certainly lends urgency to our deliberations over when to pull the plug on 
legacy email protocols.

Marty Manjak
CISO
University at Albany

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU><mailto:SECURITY () LISTSERV 
EDUCAUSE EDU> On Behalf Of Dickey, A. (Antoinette)
Sent: Tuesday, September 10, 2019 3:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Fake Direct Deposit Forms

I checked with the manager of our Threat Intelligence team. He provided this information:

This article is from March, but the technique is as old as office 365 e-mail has been around, and google g suite too. 
https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols
 -

Legacy email access protocols are enabled by default and do not support MFA (IMAP protocol has no support for a second 
form of authentication).  Albany.edu has its email through office 365, so there is a chance this is how the bad guys 
got it.

Toni Dickey, CISA, CRISC
Sr. Security Specialist – Office of the CISO
Technology Risk & Security Management
Voya Financial™
One Orange Way A4S, Windsor, CT 06095
Office: (860) 580-1997
Email: Antoinette.Dickey () voya com<mailto:Antoinette.Dickey () voya com>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Henderson, Daniel C.
Sent: Tuesday, September 10, 2019 02:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Fake Direct Deposit Forms

We have had these types of attacks occur off and on for the past few years. Our payroll office had to alter their 
processes to ensure none of the fake DD attempts were successful. The one and only time one went through, the bank 
account that the attacker had set up was already closed by the time we contacted the bank in California. We found that 
most the time an account was compromised by a phishing email that harvested user credentials, and the attacker used our 
portal to login and use fill out the proper form for a new DD location.

We have increased our security awareness training to try and prevent account compromises, with multiple phishing 
exercises yearly and knowbe4 training once a year. We have seen some success, but we know it won’t be 100%. We would 
like to start using MFA to help in this effort as well, and hope to move towards some kind of MFA in the next few years.


Caine Henderson
Director of Cyber Security, Web Development, and Investigation
Columbia College
573-875-4608



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Manjak, Martin
Sent: Tuesday, September 10, 2019 11:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Fake Direct Deposit Forms

CAUTION!: This email originated from outside of Columbia College.
Ron,

You’re not. We had an incident last week where an account was compromised and used to send the DD change request to our 
HR department. The fake check and form also referenced an American Express National Bank account. In our case, the A/C# 
was 6220124014299.

It was flagged because our form requires state assigned employee IDs, not SSN.


The emails were sourced from QuadraNet, Inc colocation centers in Atlanta, LA, and Huntsville.



The mystery we haven’t solved yet is how the employee’s email was compromised. No spam was sent, just the DD change 
request. They did set up an In box rule that marked any responses from HR as read and moved to the Delete folder to 
prevent the victim from being tipped off.

Marty Manjak
CISO
University at Albany

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of King, Ronald A.
Sent: Tuesday, September 10, 2019 11:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Fake Direct Deposit Forms

As an FYI, I have had three reports of fake Direct Deposit requests. Two of them included completed forms. The forms 
included the victims correct address and social. Both would have redirected full paychecks to American Express National 
Bank in Salt Lake City. Attached is an image of the electronic check. Given the size of the Equifax breach and the loss 
of the pertinent info, we cannot be the only institution seeing this.

Ron

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<http://www.nsu.edu/>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c -  Smaller]


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
--------------------------------------------------------- NOTICE: The information contained in this electronic mail 
message is confidential and intended only for certain recipients. If you are not an intended recipient, you are hereby 
notified that any disclosure, reproduction, distribution or other use of this communication and any attachments is 
strictly prohibited. If you have received this communication in error, please notify the sender by reply transmission 
and delete the message without copying or disclosing it. 
============================================================================================

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community