Current Cyber Threats Targeting the Education Sector

The NJCCIC assesses with high confidence that educational institutions across the globe will remain attractive targets for a range of cyberattacks designed to disrupt daily operations, steal sensitive data, instill fear in the community, and hold critical operational data for ransom.

Summary

The education sector stands out as a primary focus for threat actors, ranking among the most vulnerable sectors globally. This susceptibility stems from the vast collection of valuable data, a general deficit in cybersecurity awareness, and extensive, prevalent vulnerabilities. Educational institutions manage the daily activities of hundreds or thousands of students and faculty members. Consequently, they handle extensive and sensitive data such as student and educator login details, home addresses, birthdates, full names, social security numbers, credit card details, and other financial records. According to Check Point Research, the education sector experienced an average of 3,086 weekly attacks per organization, marking a 37 percent increase compared to 2023. Social engineering, various business email compromise scams, and vulnerability exploitation pose significant threats, resulting in data breaches, financial losses, and reputational damages.

The education sector is often slow to adopt modern cybersecurity solutions due to a lack of funding. This can lead to outdated technology, limited resources to invest in cyber solutions and ever-growing institution sizes. Public schools receive funding from the government, which often leads to budget constraints. Consequently, cybersecurity is often deprioritized in favor of staff salaries, school resources, and infrastructure upgrades.

Vulnerability exploitation in educational institutions involves attackers identifying and leveraging weaknesses in the institution’s software or systems to gain unauthorized access or cause harm. Educational institutions often use a wide array of technologies, including older legacy systems that may not be regularly updated or patched, making them susceptible to such exploits. The open network environments common in educational settings and the high turnover of students and staff can exacerbate these security challenges. Additionally, limited cybersecurity budgets and resources mean that necessary updates and security practices may be neglected. The consequences of vulnerability exploitation can be severe, ranging from data breaches and loss of privacy to substantial disruptions in educational services and financial losses.

Social engineering poses the most significant threat to the education sector, which includes phishing and business email compromise (BEC) attacks. Phishing, a type of social engineering attack against educational institutions, typically involves cybercriminals sending fraudulent emails or messages that mimic legitimate communications. The emails may appear to originate from trusted sources like the school administration, IT services, or popular educational software providers. Often, these messages include urgent requests or threats, compelling recipients to act quickly without proper scrutiny, leading to compromised accounts or data breaches. Personal data obtained through successful phishing attacks enables cybercriminals to target high-profile individuals with spear phishing and whaling attacks and distribute malware, such as ransomware. Additionally, cybercriminals benefit from compromising account credentials to gain access to a school or university network, often through successful phishing attempts.

Unlike generic phishing scams, BEC scams are a highly targeted form of social engineering, often incorporating preliminary reconnaissance on potential victims and using various impersonation techniques, including email spoofing and look-alike domains. Threat actors spoof a familiar contact’s source name or email address to convey a sense of legitimacy, use domain names that mimic a trusted source, or compromise a legitimate account. The messages typically instruct the target to transfer funds, purchase gift cards, or provide other sensitive information to the threat actors posing as trusted individuals or businesses. Common types of BEC attacks include wire transfer scams, direct deposit scams, W-2 scams, and invoice scams. BEC scams can result in system compromises, data breaches, financial losses, and reputational damages.

Invoice scams begin with a threat actor impersonating trusted vendors with whom the target organization does business. They send emails to redirect outstanding and future invoices for products or services to a new bank account. Threat actors may attach legitimate or fraudulent invoices with inflated amounts and provide new payment policies with payment instructions and updated bank account details to steal funds from the vendor’s customers. According to the 2023 FBI IC3 Internet Crime Report, BEC scams are the second most expensive type of cybercrime. In 2023, New Jersey claimed 628 victims in BEC scams and ranked second in the nation with an average loss per victim of $223,000.

Direct deposit or payroll diversion scams occur when threat actors impersonate an employee, often by creating a free email address using the employee’s name and employing display name spoofing in the messages. They frequently send fraudulent emails to payroll or human resources departments, and direct deposit change forms are requested. Occasionally, threat actors may locate an organization’s direct deposit change form online and include a filled-out form in the email to divert an employee’s direct deposit account information to an account under the threat actor’s control.

Credential harvesting allows threat actors to compromise further accounts, escalate privileges, exploit vulnerabilities, move laterally within a network, deploy malware, and breach data. Threat actors attempt to harvest or steal these credentials primarily through phishing or distributing malware such as infostealers. Infostealer malware has significantly increased, in which threat actors compromised business and personal devices and exfiltrated millions of credentials, usually sold on dark web forums to other threat actors looking to compromise accounts or conduct further malicious activity. Moreover, in the education sector, it is common to observe the reuse of passwords across multiple accounts and the sharing of account credentials for frequently used applications. This practice increases the impact of a successful cyberattack and poses significant risks, potentially resulting in numerous compromised accounts.

School networks can be challenging to secure because they have a large user base, including faculty, staff, and students. With technology being an essential part of education, many schools have opted for Bring Your Own Device (BYOD) policies, which allow students and employees to connect their personal computers, tablets, and mobile phones to the school network. However, if BYOD policies are not implemented with security in mind, it can increase the risk of compromising the network and exposing sensitive data to potential threats from vulnerable and infected devices. Additionally, students are not bound by strict corporate guidelines for network access, thereby increasing the risk posed by their personal devices, shared accommodation, and public Wi-Fi use on campus.

Ransomware attacks on educational institutions involve encrypting data and demanding a ransom for access. Educational networks’ interconnectedness and insufficient cybersecurity measures make them lucrative targets for cybercriminals. These attacks can disrupt academic operations and cause significant financial and reputational damage. Additionally, they may result in the theft or sale of sensitive information.

The education sector also has a significant risk of Distributed Denial of Service (DDoS) attacks, which could impact students trying to access learning resources or submit time-sensitive assignments online. DDoS attacks attempt to deny access to various websites or domains and force a server overload, which can significantly impact day-to-day operations.

A successful DDoS attack can cause significant disruption, halting academic activities and administrative processes. The diversity of users and devices connecting to these networks often leads to security inconsistencies, which attackers exploit. The impact goes beyond inconvenience; it can also damage the institution’s reputation and incur significant costs for mitigating and preventing future attacks.

Common Attack Types in the Education Sector

Data breaches: The main reason data breaches happen is due to human error, either by stolen or weak credentials or through social engineering tactics. A data breach happens when an unauthorized person gets access to protected information such as dates of birth, Social Security numbers, banking information, and medical records. Data breaches can have a devastating impact on students, teachers, and staff.

Phishing: Attackers go to great lengths to ensure that their emails appear as legitimate as possible, for a phishing attack to be successful. These emails most contain links that direct target recipients to an attacker-controlled website that delivers malware or steals user credentials. Such an attack can lead to more sophisticated attacks such data breaches, malware or ransomware attacks.

Ransomware attacks: A ransomware attacks is financially motivated. It generally aim to damage and steal from a information system or server by targeting vulnerabilities within the network. Furthermore, the use of external devices and the absence of anti-virus software protection facilitates the task of the hacker. Such attacks can cause a lot of damage to schools because they disrupt key computer systems and school operations, and, more importantly, put at risk student data and safety. Ransomware is often spread through phishing emails that contain malicious attachments.

Business email compromise (BEC) scams: Involving the use of email to scam school business officials and staff members out of sensitive information and large amounts of money, including by issuing fake invoices to districts, by redirecting authorized electronic payments to bank accounts controlled by criminals, and by stealing W-2 tax information of district employees.

Denial of service (DoS) attacks: Intended to make school IT resources unavailable to students and staff by temporarily disrupting their normal functioning.

Website and social media defacement: Involving unauthorized changes such as posting inappropriate language and images to a school website or official social media account.

Online class and school meeting disruption: Involves unauthorized access to online classes and meetings for the purpose of disruption. Invaders usually share hate speech, sharing via shocking images, sounds, and videos and threats of violence. Despite the attention drawn to these incidents and availability of advice on how to defend against them school districts continued to fall prey to these incidents.

Email compromises: Involving the compromise of a school district’s email systems by unauthorized individuals for the purpose of bulk sharing of or links to disturbing images, videos, hate speech, and/or threats of violence to members of the school community.

Recommendations

At minimum, the education sector is advised to implement the following to strengthen cyber resiliency:

  • Consider cyber insurance: Cybersecurity insurance protects businesses against computer-related crimes and losses. This can include targeted attacks, such as malware and phishing, as well as the occasional misplaced laptop containing confidential material.
  • Patching and updating: Staff must install critical updates as soon as they are available. Install and regularly update anti-virus and anti-malware software on all hosts. Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Create backups: Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Use strong passwords: Use at least 12 characters, with a mix of numbers, symbols, and capital letters in the middle of the password. Never use the same password for more than one account or for personal and business accounts. Consider using a password manager, an easy-to-access application that stores all valuable password information in one place. Do not share passwords on the phone, in texts, or by email. Implement the shortest acceptable time frame for password changes.
  • Enable MFA: Use multi-factor authentication (MFA) where possible. Also known as two-factor or two-step verification, this security feature requires the combination of at least two of three factors – something you know, something you have, or something you are. Oftentimes, MFA will use a password and either a code or biometric to fulfill MFA requirements to log in to an account. MFA protects accounts even if a password is compromised.
  • Ensure physical security of devices: Do not leave laptops, phones, or other devices unattended in public or even in a locked car. They may contain sensitive information and should be protected against falling into the wrong hands. Turn on device encryption to encrypt all data on each device and reduce the risk to sensitive information in case the device is stolen or misplaced.
  • Think before clicking or sharing information: Every time someone asks for business information, whether in an email, text, phone call, or web form, think about whether the request is trustworthy. Scammers will say or do anything to get account numbers, credit card numbers, Social Security numbers, or other sensitive information. Scammers will rush, pressure, or threaten to get targets to give up company information. Do not click any links in emails, as this can lead to credential compromise or malware installation.
  • Only give sensitive information over encrypted websites: If a company is banking or buying online, stick to sites that use encryption to protect information as it travels from a computer to the server. Look for “https” at the beginning of the web address in the browser’s address bar, as well as on every page of the site being visited – not just the login page.
  • Secure wireless networks: Unsecured routers could easily allow strangers to gain access to sensitive personal or financial information on devices. Users are advised to change their router’s name and password from the default to something unique that only they know. Keep router software up to date and turn off any “remote management” features, which hackers can use to get into the network. Once router setup is complete, log out as administrator to lessen the risk of someone gaining control of the account. Only use secure networks and avoid public Wi-Fi networks. Consider installing and using a virtual private network.
  • Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job descriptions and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.
  • Catalog and reduce system dependencies: Critical systems dependencies, such as third-party vendors and processes, should be identified and minimized where possible.
  • Encryption: Devices should implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices, and this includes protection from side channel attacks that can compromise encryption keys.
  • Employee training and awareness: All employees working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.
  • Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the general public must follow strict procurement procedures that only allow installing to certified devices that follow strict security standards.
  • Vulnerability management: All organizations are encouraged to implement vulnerability management policies that include vulnerability assessments, a patch management plan, and penetration testing audits, where feasible, on a regular basis to maintain an understanding of an organization’s risk posture.
  • Network segmentation: All facilities must deploy proper network segmentation, with DMZ configured and network isolation to protect critical systems. Whenever possible, any industrial control systems should not share the same network with internet-accessible devices.
  • Cybersecurity plans: Implement various cybersecurity plans, including continuity of operations plans (COOPs), incident response, disaster recovery, and a data backup plan in which multiple data copies are kept in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Establish, test, and update all cybersecurity plans at regular intervals.
  • External email tags: Consider adding an email banner to messages originating outside the organization and disabling hyperlinks in email sent from external accounts.

Increase in Cyber Threat Activity Associated with Iranian State-Sponsored and State-Affiliated Threat Groups

Over the past few weeks, there has been a significant increase in reported activity associated with Iranian state-sponsored or state-affiliated cyber threat groups. One of these cyber threat actors known as Pioneer Kitten, Fox Kitten, Parisite, RUBIDIUM, and Lemon Sandstorm, was observed targeting US and foreign organizations in various sectors, including education, finance, healthcare, defense, and local government entities. A substantial portion of the organization’s US-centric cyber operations involves gaining and retaining technical access to target networks to carry out future ransomware attacks. The perpetrators provide complete control over domains and administrator credentials to multiple networks globally.
Additionally, the FBI noted that a significant percentage of Iran-based cyber threat actors associated with the Government of Iran (GOI) are actively collaborating with ransomware affiliates to deploy ransomware against US organizations and conduct computer network exploitation activities to support the GOI. These actors have collaborated with the ransomware affiliates NoEscape, Ransomhouse, and ALPHV (aka BlackCat). The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. Their dual objectives of financial gain and espionage underscore the need for heightened international cooperation and the implementation of robust defense strategies.
Furthermore, APT 42, also known as Charming Kitten and associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), was attributed to targeting former members of both the Trump and Biden administrations. In June, APT 42 successfully breached the Trump campaign, stealing internal campaign documents and distributing them to news organizations. Recent observations by US intelligence agencies highlighted Iran’s aggressive efforts to sow discord ahead of the 2024 presidential election. These reports underscore the critical need to counter election deepfakes and promote comprehensive education and awareness regarding possible foreign interference.
Recommendations
Users are encouraged to educate themselves and others on state-sponsored cyber threats and disinformation campaigns to prevent victimization. Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats. Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Use strong, unique passwords and enable MFA for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior. Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs). Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments. Regularly perform scheduled backups, keeping an updated copy offline in a separate and secure location, and testing it regularly. Cyber incidents can be reported to the FBI’s IC3 and the NJCCIC.

404 Keylogger Snakes Its Way In

The NJCCIC’s email security solution observed a recent surge in campaigns disseminating 404 Keylogger infostealing malware. 404 Keylogger, also known as SnakeKeylogger, is both a downloader and an information-stealing malware. This malware-as-a-service can steal credentials, log keystrokes, capture screenshots, harvest emails, and grab clipboard data.
The most recent email campaign includes messages claiming to be requests for invoices and product inquiries. The emails contain compressed executables disguised as Microsoft Word documents utilizing Packager Shell Objects (OLE) to exploit vulnerabilities found in Equation Editor. Upon successful exploitation, the LCG Kit downloads and installs AgentTesla and 404 Keylogger.
In another campaign, the phishing emails contained Microsoft Excel attachments. OLE was also utilized to download an HTML Application (HTA) file, which invoked PowerShell to download an executable file to install 404 Keylogger. Once installed, 404 Keylogger issues further PowerShell commands to evade detection and edit scheduled tasks to maintain persistence on the victim’s device. Another security researcher recently alerted users to an uptick in 404 Keylogger attacks; however, the attack vector has not been disclosed despite calling it a zero-day detection.
Recommendations
Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Type official website URLs into browsers manually. Facilitate user awareness training to include these types of phishing-based techniques. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Report phishing emails and other cyber activity to the FBI’s IC3 and NJCCIC.

#StopRansomware: RansomHub Ransomware

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) released this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).
Since its inception in February, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater systems, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.
The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.
The authoring organizations encourage network defenders to implement the recommendations in the mitigations section of this joint advisory to reduce the likelihood and impact of ransomware incidents.

CISA and Partners Release Advisory on Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations



Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)
and the Department of Defense Cyber Crime Center (DC3)—released Iran-based
Cyber Actors Enabling Ransomware Attacks on U.S. Organizations
. This joint
advisory warns of cyber actors, known in the private sector as Pioneer Kitten,
UNC757, Parisite, Rubidium, and Lemon Sandstorm, targeting and exploiting U.S.
and foreign organizations across multiple sectors in the U.S. 



FBI investigations conducted as recently as August 2024 assess that cyber
actors like Pioneer Kitten are connected with the Government of Iran (GOI) and
linked to an Iranian information technology (IT) company. Their malicious cyber
operations are aimed at deploying ransomware attacks to obtain and develop
network access. These operations aid malicious cyber actors in further
collaborating with affiliate actors to continue deploying ransomware. 



This advisory highlights similarities to a previous advisory, Iran-Based Threat
Actor Exploits VPN Vulnerabilities
published on Sept. 15, 2020, and
provides known indicators of compromise (IOCs) and tactics, techniques, and
procedures (TTPs). 



CISA and partners encourage critical infrastructure organizations to review
and implement the mitigations provided in this joint advisory to reduce the
likelihood and impact of ransomware incidents. For more information on Iranian
state-sponsored threat actor activity, see CISA’s Iran Cyber Threat Overview
and Advisories
page. 



See #StopRansomware along with the updated #StopRansomware Guide for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.



Join the NIST Privacy Framework Team | Further Develop the Data Governance & Management Profile

Dear Colleagues,    

Building on the valuable stakeholder feedback received during the Ready, Set, Update! Privacy Framework 1.1 + DGM Profile Workshop this past June, we are pleased to announce that we will host a series of public working sessions this fall to further shape the joint NIST Frameworks Data Governance and Management (DGM) Profile. This next phase in the DGM Profile development will offer stakeholders the opportunity to engage in collaborative discussions to shape the content of the DGM Profile Initial Public Draft.

The first set of working sessions will take place the week of September 9, 2024 and will be dedicated to the topic of data governance and management activities. These working sessions will be virtual and will consist of both guided and open discussions. Each session will cover the same material, so there is no need to attend more than one.

To accommodate participants across various time zones, we will hold the virtual sessions during the following days and times:

All information relative to the working sessions, including registration, is available on the Privacy Framework’s New Projects page. Pre-read materials will be released in advance of the working sessions.

We invite you to bring your expertise and join us as we advance the development of this important resource! If you have any questions, feel free to reach out to us at [email protected].


Best,  

NIST Privacy Framework Team 

Register Here

Multiple Vulnerabilities in SolarWinds Web Help Desk

Multiple vulnerabilities have been discovered in SolarWinds Web Help Desk (WHD), the most severe of which could allow for remote code execution. WHD is a SolarWinds IT help desk solution. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.
Threat Intelligence CISA reports CVE-2024-28986 is being actively exploited in the wild.​​​
Systems Affected
Web Help Desk prior to 12.8.3 Hotfix 2
Risk
Government:
– Large and medium government entities: High – Small government entities: High
Businesses: – Large and medium business entities: High
– Small business entities: High
Home Users: Low
Recommendations
Apply appropriate updates provided by SolarWinds to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
Reference
SolarWinds: 
https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2

Multiple Vulnerabilities in Google Chrome

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat Intelligence Google is aware that an exploit for CVE-2024-7971 exists in the wild.
Systems Affected
Chrome prior to 128.0.6613.84/.85 for Windows and Mac Chrome prior to 128.0.6613.84 for Linux
Risk
Government:
– Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High
– Small business entities: Medium
Home Users: Low
Recommendations
Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
Reference
Google: 
https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

Employment Scams Delivered Via Text Messages Increase

Employment scams are increasing, and scammers are devising new methods to target unsuspecting job seekers. Recently observed scams more frequently begin with a text message, initiating conversations about a potential job opportunity. The scammer claims to be a recruiter who expresses interest in the target’s compatibility for a vacant position and attempts to ascertain the target’s willingness to explore the opportunity further. The message outlines the position’s benefits, which include remote work, flexible hours, and potential average daily pay ranging from $100 to $1,000 or more.
They may inquire about work experience, salary expectations, and other typical employment concerns. To avoid detection, they often request to continue the conversation on an encrypted chat platform like WhatsApp. Legitimate companies typically do not request that applicants send materials through instant messaging services.
Once the conversation moves to a different platform, they may ask for personal information, such as a Social Security number (SSN), a photo of the target’s driver’s license, and banking details, claiming they need to set up direct deposit. Scammers may also ask job seekers to pay processing or application fees or to pay for training. The victim may receive a fraudulent invoice for equipment, with instructions to pay using cash, Zelle, or PayPal and a promise of reimbursement.
Consumer advocates warn that a weakening US labor market may make job seekers more susceptible to these scams. According to the Federal Trade Commission (FTC) data, consumers have lost nearly $24 million to job and employment agency text scams this year. Users are more likely to read text messages than answer phone calls, making text messages a preferred contact method for scammers. Recent data from the Identity Theft Resource Center shows that the number of reported job scams increased by 118 percent from 2022 to 2023, and researchers predict a further increase this year.
Recommendations
Educate yourself and others about these and similar scams. Legitimate businesses typically will not ask you to contact them via social media platforms. Refrain from clicking on or contacting unknown telephone numbers found in unsolicited pop-up notifications, or links and attachments delivered via emails or text messages. Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds. Confirm the legitimacy of requests by contacting the careers section of a company’s official website or consider calling the company’s human resources department to verify if the job offer is legitimate.  Report malicious cyber activity to the FTC, FBI’s IC3, and the  NJCCIC.

Brand Impersonation Scams Continue

Businesses in the Information Technology sector act as critical service providers and part of a supply chain, store sensitive information, provide access to other accounts, and frequently engage with customers. These businesses deliver essential and frequently used services, such as email and other communications, cloud storage, online shopping, and more, increasing the likelihood that users will quickly respond to messages or inquiries from familiar and trustworthy brands. As of the second quarter of 2024, this sector ranks at the top of the list in brand impersonation and is an attractive and valuable target. Threat actors continue impersonating major technology companies, such as Google, Zoom, Facebook, Microsoft, and Apple, and their legitimate products and services. They use social engineering to lure their targets through communications or malicious ads, introduce scare tactics, and attempt to steal personal data, financial information, account credentials, and funds.

In the past month, PINEAPPLE and FLUXROOT hacker groups leveraged Google Cloud serverless projects to deliver and communicate with their malware, host and direct targets to phishing websites, and run malware and execute malicious scripts. In a separate campaign, threat actors abused Google Ads to post malicious ads that appeared official and verified by Google. If the user clicked on the malicious ad, they were redirected to a fake Google Authenticator site that inadvertently led to a signed payload hosted on GitHub. If installed, personal data would be at risk of being stolen via the attacker-controlled phishing website. 

Additionally, threat actors targeted cryptocurrency investors and NFT holders, invited them to a Zoom meeting, and provided a malicious link that, if clicked, downloaded malware, added itself to the Windows Defender exclusion list, and stole funds. In a separate campaign, threat actors used Facebook to create fake pages, groups, ads, and content of popular generative artificial intelligence (AI) brands with malicious links that, if clicked, downloaded malware to steal passwords, cryptocurrency wallets, and information stored in the browser. Furthermore, threat actors spoofed the caller ID to display Microsoft’s name or number. They impersonated Microsoft employees or representatives to make fraudulent calls to trick potential victims into divulging personal or financial information.

Image Source: Malwarebytes

Threat actors are impersonating Google’s entire product line via malicious Google Search ads to direct potential victims to spoofed websites and Microsoft and Apple tech support scams. These malicious ads point to Google Search, Translate, Flights, Analytics, Calendar, Earth, Maps, Meet, and more. Upon closer inspection, the URLs of these ads are hosted on Looker Studio and contain an image of the Google Search home page that displays in full-screen mode. When the image is clicked, an embedded link launches a new tab to redirect the victim to a fake Microsoft or Apple alert page attempting to hijack the browser, play a recording, claim that the computer has been blocked, and advise the victim to contact support via the provided phone number. The threat actors behind the fake support number purport to be Microsoft or Apple representatives and persuade victims to purchase gift cards or log into their bank accounts to pay for the phony repair.

The NJCCIC’s email security solution detected multiple credential phishing campaigns targeting New Jersey State employees using legitimate products and services of major technology companies. In one campaign, threat actors utilize several products of the Google suite, including Gmail, Calendar, Forms, and Meet, to send phishing emails as calendar invitations to verify Bitcoin funds will be transferred. A Gmail user sends the calendar invitation to the target and other purported guests utilizing Gmail accounts, and it claims funds are currently being withdrawn to create a sense of urgency. One link in the calendar invitation directs the target to a Google Meet session, which initially displays that no camera was found and prompts the user for permission to access their microphone. Then, instead of waiting to be let into the session, the target can sign in with their Google account credentials. To supposedly validate the particulars, another link in the calendar invitation directs the target to a Google Forms page and, if submitted, displays a Bitcoin-themed landing page, utilizing the hxxps://globalminingbit[.]top domain, to receive Bitcoin bonus funds. After several redirects, clicking multiple buttons, and communicating with a chat representative, the target is prompted for their name, email address, financial information, and account information to receive the funds.

Threat actors are also sending fraudulent Zoom invitations in credential phishing campaigns. If the Zoom link is clicked, targets are directed to a fraudulent Microsoft SharePoint page with the organization’s branding, pointing to a newly registered hxxps://thepivoproject[.]com domain appended with the target’s email address and followed by a client identifier with random characters. If credentials are submitted on this phishing page, they are sent to the threat actors in the background.

Recommendations

  • Refrain from answering unexpected calls from unknown contacts. When receiving unsolicited phone calls, do not respond to any requests for sensitive information or access.
  • Avoid responding to messages, clicking links, or opening attachments from unknown or unverified senders, and exercise caution with emails from known senders.
  • Confirm the legitimacy of requests by contacting the sender via a separate means of communication, such as by phone, using contact information obtained from official sources before responding, divulging sensitive information, or providing funds.
  • Navigate directly to legitimate websites and verify before submitting account credentials or providing personal or financial information.
  • Use strong, unique passwords and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Reduce your digital footprint so that threat actors cannot easily target you.
  • Report malicious cyber activity to the FBI’s IC3 and the NJCCIC.