Educause Security Discussion mailing list archives
Re: Fake Direct Deposit Forms
From: Jesse Thompson <000000b6da97d697-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Wed, 11 Sep 2019 20:22:37 +0000
IMAP, POP and SMTP all can support MFA by means of OAuth. Gmail supports it as a service provider, and at least Thunderbird and Apple Mail support it as email clients. https://en.wikipedia.org/wiki/Comparison_of_email_clients#Authentication_support (outdated, but gives you the gist) It's in Microsoft's best market-dominance interest to coerce people into using Outlook, so they will likely never support OAuth with their "legacy" protocols. On the other hand, if you use non-federated authentication and Microsoft's MFA, they do support app passwords which can be used with "legacy" clients. Again, it's in Microsoft's best market-dominance interest to coerce enterprises into authenticating directly to AAD and use Microsoft's MFA. So, what do we do? Options: 1) Convince faculty that common internet standards are worth killing because of Cybersecurity-based fear, uncertainty, and doubt. Turn off "legacy" protocols, firewall your Shib ECP endpoint, turn off basic authentication on all mailboxes, buy AAD Premium P2, buy Conditional Access, stop giving accounts to alumni and emeritus (due to cost and risk), stop allowing forwarding (to stop users from fleeing towards functional email services), etc...... 2) Split host your domain(s) with Gmail and let faculty and staff use Gmail if they want to use standards compliant email protocols that support MFA. Google seems to be more supportive of internet standards (at this time). So, you can hedge your bets and avoid vendor lock-in and security up-sells by adding complexity to your user experience and operational overhead. 3) Implement an application password solution with your Shib ECP endpoint similar to University of Arizona. https://meetings.internet2.edu/media/medialibrary/2017/10/06/20171016-windham-sso-office365.pdf #3 seems like the most sensible option in my mind #2 is a good option if you have a very large faculty/research contingent who adamantly refuse to use Microsoft over Google services #1 is probably what most universities will end up doing because it's what Microsoft recommends Hope this helps! Jesse Thompson Solutions Architect, Certified Ethical Hacker, M3AAWG member University of Wisconsin-Madison ________________________________________ From: Jon Miner <jon.miner () wisc edu> Sent: Wednesday, September 11, 2019 12:46 PM To: Jesse Thompson Subject: Fw: [SECURITY] Fake Direct Deposit Forms I assume you're probably on the Educause Security list. jon ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of David Escalante <david.escalante () BC EDU> Sent: Wednesday, September 11, 2019 11:10 To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Fake Direct Deposit Forms I just want to take this opportunity to re-do my occasional rant about "modern authentication" and "legacy email protocols." "Modern Authentication" is a term of art (cleverly) invented by Microsoft, as is "legacy email protocols." Here's what DUO has to say about Modern Auth: "Modern Authentication is the term Microsoft uses to refer to their implementation of the OAuth 2.0 authorization framework for client/server authentication. Modern Authentication leverages Active Directory Authentication Libraries (ADAL) to enable applications to support sign-in features like 2 factor authentication (2FA/MFA) and Smart card + Certificate-based Authentication." -- https://help.duo.com/s/article/4419?language=en_US And here's what Microsoft has to say about it, from 2 days ago, with a list of supported clients: "Modern Authentication enables Active Directory Authentication Library (ADAL)-based sign-in for Office client apps across different platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), smart card, and certificate-based authentication." -- https://docs.microsoft.com/en-us/office365/enterprise/office-365-client-support-modern-authentication While it's quite true that IMAP and POP don't support MFA, "turning off legacy email protocols" is not going to work if, for example, you're not a Microsoft shop and are running a UNIX-based SMTP mail server, and it condemns your user base to using either browsers or Microsoft clients to reading email that can only be hosted on a Microsoft backend email system. I'm not sure how that is either modern or good -- sounds like vendor lock-in to me. (But it's great marketing by someone in Redmond.) What I'd like to see is an industry-wide mail protocol that supports MFA that all the interesting mail clients competing against each other out there can use without dependencies on Microsoft products. It's surely needed given the brute forces on POP and IMAP. If there's already a spec for "Modern Authentication" such that it can be implemented by other vendors on both client and server, I'm not aware of it, please educate me! -- David Escalante Manjak, Martin wrote on 9/11/19 9:50 AM: Toni, Thanks for the ProofPoint reference. It certainly lends urgency to our deliberations over when to pull the plug on legacy email protocols. Marty Manjak CISO University at Albany From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU><mailto:SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Dickey, A. (Antoinette) Sent: Tuesday, September 10, 2019 3:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Fake Direct Deposit Forms I checked with the manager of our Threat Intelligence team. He provided this information: This article is from March, but the technique is as old as office 365 e-mail has been around, and google g suite too. https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols - Legacy email access protocols are enabled by default and do not support MFA (IMAP protocol has no support for a second form of authentication). Albany.edu has its email through office 365, so there is a chance this is how the bad guys got it. Toni Dickey, CISA, CRISC Sr. Security Specialist – Office of the CISO Technology Risk & Security Management Voya Financial™ One Orange Way A4S, Windsor, CT 06095 Office: (860) 580-1997 Email: Antoinette.Dickey () voya com<mailto:Antoinette.Dickey () voya com> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Henderson, Daniel C. Sent: Tuesday, September 10, 2019 02:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Fake Direct Deposit Forms We have had these types of attacks occur off and on for the past few years. Our payroll office had to alter their processes to ensure none of the fake DD attempts were successful. The one and only time one went through, the bank account that the attacker had set up was already closed by the time we contacted the bank in California. We found that most the time an account was compromised by a phishing email that harvested user credentials, and the attacker used our portal to login and use fill out the proper form for a new DD location. We have increased our security awareness training to try and prevent account compromises, with multiple phishing exercises yearly and knowbe4 training once a year. We have seen some success, but we know it won’t be 100%. We would like to start using MFA to help in this effort as well, and hope to move towards some kind of MFA in the next few years. Caine Henderson Director of Cyber Security, Web Development, and Investigation Columbia College 573-875-4608 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Manjak, Martin Sent: Tuesday, September 10, 2019 11:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Fake Direct Deposit Forms CAUTION!: This email originated from outside of Columbia College. Ron, You’re not. We had an incident last week where an account was compromised and used to send the DD change request to our HR department. The fake check and form also referenced an American Express National Bank account. In our case, the A/C# was 6220124014299. It was flagged because our form requires state assigned employee IDs, not SSN. The emails were sourced from QuadraNet, Inc colocation centers in Atlanta, LA, and Huntsville. The mystery we haven’t solved yet is how the employee’s email was compromised. No spam was sent, just the DD change request. They did set up an In box rule that marked any responses from HR as read and moved to the Delete folder to prevent the victim from being tipped off. Marty Manjak CISO University at Albany From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of King, Ronald A. Sent: Tuesday, September 10, 2019 11:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Fake Direct Deposit Forms As an FYI, I have had three reports of fake Direct Deposit requests. Two of them included completed forms. The forms included the victims correct address and social. Both would have redirected full paychecks to American Express National Bank in Salt Lake City. Attached is an image of the electronic check. Given the size of the Equifax breach and the loss of the pertinent info, we cannot be the only institution seeing this. Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community --------------------------------------------------------- NOTICE: The information contained in this electronic mail message is confidential and intended only for certain recipients. If you are not an intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify the sender by reply transmission and delete the message without copying or disclosing it. ============================================================================================ ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Fake Direct Deposit Forms King, Ronald A. (Sep 10)
- Re: Fake Direct Deposit Forms Stevenson,Katherine Talia (Sep 10)
- Re: Fake Direct Deposit Forms Barton, Robert W. (Sep 10)
- Re: Fake Direct Deposit Forms Manjak, Martin (Sep 10)
- Re: Fake Direct Deposit Forms Henderson, Daniel C. (Sep 10)
- Re: Fake Direct Deposit Forms Dickey, A. (Antoinette) (Sep 10)
- Re: Fake Direct Deposit Forms Manjak, Martin (Sep 11)
- Re: Fake Direct Deposit Forms David Escalante (Sep 11)
- Message not available
- Re: Fake Direct Deposit Forms Jesse Thompson (Sep 11)
- Re: Fake Direct Deposit Forms Henderson, Daniel C. (Sep 10)
- Re: Fake Direct Deposit Forms Stevenson,Katherine Talia (Sep 10)
- Re: Fake Direct Deposit Forms Scott Gennari (Sep 19)