SecureIT

This morning some members of the Brandeis community received the following fraudulent email message purporting to be from the IT group at Lehigh.  It is clearly not authentic and should be moved to your email Junk folder or deleted.  If anyone accidentally responds please change your UNet password and notify the Help Desk or Information Security.

Thank you for continued diligence and cooperation noticing and not responding to these.

Dennis Devlin
Chief Information Security Officer

Sample of Fraudulent Email Message Follows Below:

lehigh.edu email account upgrade

Your kku email account needs to be upgraded to our new F-Secure® HTK4S anti-virus/anti-spam 2010 version.
Fill the columns below and send to the email below or your account will be suspended temporarily from our services.

USERNAME:
PASSWORD:
PHONE NUMBER:

 lehigh.edu Web-Administrative Team

 Send response to James Walter on jameswalter001@mail2consultant.com

This message was sent using IMP, the Internet Messaging Program.

**Re-posting from the F-Secure blog**

In the middle of all the attention to the “Operation Aurora” attacks, we’re now seeing new targeted attacks that are using this very event as the lure to get the targets to open a malicious attachment!

Here’s the e-mail we saw (the mail was forged to look like it came from gwu.edu):

From: david████@gwu.edu
Date: Wed, 20 Jan 2010 09:26:24
To: (email addresses of the targets)
Subject: Chinese cyberattack

Colleagues,

Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack.
I hope you find it interesting.

If you have any good idea / comments, are warmly welcome to feedback.

Best,

David
Attachment: .pdf Chinese cyberattack.pdf

The attachment Chinese cyberattack.pdf (md5: 238ecf8c0aee8bfd216cf3cad5d82448) is a PDF file which exploits the CVE-2009-4324 vulnerability in Adobe Reader (again, this is the one which was patched last week).

The exploit drops and runs a backdoor called Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435). We detect this as W32/PoisonIvy.NQ. The PDF is detected as Trojan.Script.256073.

Orientation is underway and we’re doing out part with our updated Digital Self-Defense series to make sure incoming first-years are educated about information security.

The main resource workshop for first-years will be in Alumni Lounge in Usdan on Wednesday, August 26 from 10:30am to 11:30am. We will be going over the current threat landscape on campus and letting students know what they can to to protect themselves and their friends.

The handout we’ll be loosely basing our presentation on is available in PDF form here. The Facebook event page is here.