Public Safety

CIS has confirmed that a phishing email was received by some recipients in the Central Office. While CIS continues its investigation, containment and remediation activities, please review the following information and take action as appropriate.

Security Threat Identification / Symptoms

A phishing email with a subject of “CUNY : 'Earn $500 weekly'” There may be other versions. Do NOT click or respond to the request within the message. An illustrative sample of the message is included at the bottom of this alert.

If you think you have already been impacted by this security threat

If you received this message or one like it, delete it and do not respond or reply to the message. If you already responded to the phishing email, immediately contact the CIS Service Desk at service.desk@cuny.edu or 646-664-2311

Recommended User Action

• DO NOT reply to unexpected or unusual email from any sender.
• DO be particularly cautious when the “external source” warning banner is present
• DO NOT reply to email with any personal information or passwords. If you have reason to believe that the request is real, call the institution or company directly
• DO NOT click a link or open an attachment in an unsolicited email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser
• DO NOT use the same password for your work account, bank, Facebook, etc. In the event you do fall victim to a phishing attempt, perpetrators attempt to use your compromised password to access many online services
• DO change ALL of your passwords if you suspect any account you have access to may be compromised
• DO be particularly cautious when reading email on a mobile device. It may be easier to miss telltale signs of phishing attempts when reading email on a smaller screen
• DO remember that official communications should not solicit personal information by email
• DO read the CUNY Phishing Advisory posted at security.cuny.edu under CUNY Issued Security Advisories
• DO complete information security awareness training located at security.cuny.edu

Security Threat Explained

This phishing message attempts to lure recipients into opening a fake job offer attachment and respond by email with personal information.

Security Alert Updates

CIS will send an update if/when there is more information to share.

Robert N. Berlinger, CISSP
CHIEF INFORMATION SECURITY OFFICER CITY UNIVERSITY OF NEW YORK security.cuny.edu

Fraudulent phishing email sample:

The FBI’s Criminal Investigative Division and the National Center for Missing & Exploited Children (NCMEC), in coordination with the Office of Private Sector (OPS)/Information Sharing and Analysis Unit (ISAU) prepared this Academia Engagement Report (AER) to inform school officials who maintain regular contact with students about the increase in financially-motivated sextortiona cases targeting minor males.

In this scheme, the predator, posing online as a young female, contacts the victim over any online platform used to meet and communicate, such as a game, app, or social media account, and uses deception and manipulation to convince the victim, typically a young male between 14 and 17-years-old, to engage in sexually explicit activity over video. The predator then reveals they secretly recorded the explicit activity and threatens to post the videos online or distribute them to the victim’s friends or family unless the victim sends the predator money or gift cards.

The exploitation can be quick, and extortion may occur within hours of the first contact. Reporting indicates paying the predator does not guarantee the sextortion will end; in most cases where the victim provided payment, the predator typically responded with additional monetary demands, and in some cases, distributed the victim’s illicit photographs or videos to their friends or family despite receiving payment to prevent that from happening. Additionally, some victims have reported they were told to follow certain other suspected predator social media accounts when they indicated they did not have the ability to pay the predator. This is potentially a way for the predators to lend legitimacy to online accounts used to perpetrate this scheme.

An account with no or few friends or followers would appear more suspicious than an account with more friends or followers which would have a greater appearance of being a legitimate account of a real individual. This could also be a way to widen the pool of potential targets for predator accounts by giving them visibility and access to the victim’s circle of friends and followers, increasing victimization of other minors.

The threats and continued harassment by these predators have resulted in the suicides of multiple minor male victims. The FBI is providing the following case examples:

• In March 2022, a predator purporting to be a young woman contacted a 17-year-old male victim in Michigan via social media and enticed the victim to provide nude photos of himself. After receiving the photos, the predator threatened to send them to the victim’s friends if the victim did not send money. The victim paid $300; however, the predator then asked for more money, which the victim did not have. The victim died by suicide later that same day. After his death, the predator distributed the illicit photos of the victim to the victim’s friends and attempted to extort one of them for additional money.
• In October 2021, a predator contacted a 17-year-old male victim in Mississippi via social media. After the victim was coerced into sending nude photographs of himself to the predator, the predator threatened to share those photographs with the victim’s friends and family unless the victim sent $800. The victim died by suicide the same day he received the threatening messages.
• In March 2021, a predator enticed a 17-year-old male victim in Montana to send nude photos via social media. After receiving the photos, the predator demanded money or threatened to release the photos of the victim. The victim died by suicide within hours of receiving those threatening messages. Following the victim’s death, the predator sent the victim’s nude photos to the victim’s sister and threatened to distribute the victim’s photos to a wider audience if she did not provide payment.

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received over 18,000 sextortion-related complaints, with losses over $13.6 million. This number reflects all types of sextortion reported, not just this particular scheme.

Tips to Prevent Victimization

The FBI provides the following tips to teachers and educators to help protect their students online:

• Encourage students to:
  • Be selective about what they share online, especially personal information and passwords. If their social media accounts are open to everyone, a predator may have access to exploitable information about them.
  • Be wary of anyone they encounter for the first time online, and to block or ignore messages from strangers.
  • Be aware people can pretend to be anyone online. Videos and photos are not proof a person is who they claim to be.
  • Be suspicious if you meet someone on a game or app and they ask you to talk to them on a different platform.
  • Report any behavior regarding the solicitation or sharing of exploitative images to the platform.
• Encourage parents to:
  • Educate themselves on computer applications, internet websites, and online forums used by children.
  • Regularly supervise children’s internet-related activities.
  • Talk to children about sextortion, how to prevent it, and what to do if it happens to them.

Recognizing Warning Signs

Victims of sextortion may exhibit the following:

• Withdrawal from family and friends,
• Drop in grades or withdrawal from typical activities,
• Abnormal behaviors, such as elevated anxiety, fear, or unexplained anger,
• Psychological or physical trauma,
• Self-harming ideation or actions, or
• Unexplained sense of urgency to “escape” to a different location to meet a perpetrator’s demands.

The sextortion may happen quickly or there may be no behavioral changes, so it is important to have open communication with minors about their online activity.

Supporting Sextortion Victims

Minors are often embarrassed or scared to report victimization, something predators depend on to encourage compliance. Further, predators often tell victims they will be arrested for sending child sexual abuse material if they report anything. This is not true. In an effort to encourage victims to come forward, reinforce the following messaging to minors:

• They are not alone – authorities receive thousands of sextortion-related complaints every year.
• They are not at fault and have done nothing wrong – they are victims.
• They will not be in legal trouble.
• They should feel comfortable talking with someone they trust about sextortion, such as a parent, teacher, coach, or school counselor.
• Coming forward can assist in identifying and apprehending predators who victimized them and others.
• Coming forward can prevent others from going through the same ordeal.
• The National Center for Missing and Exploited Children (NCMEC) can help when requesting removal of victim images and material from the internet.

Reporting Sextortion

The coercion of a minor by an adult to produce child sexual abuse material carries severe penalties, which can include up to life sentences for the offender. To stop victimization, minors typically have to report it to someone – normally a parent, teacher, caregiver, or law enforcement officer. The embarrassment children feel from the activity they were forced to engage in is what typically prevents them from reporting. Sextortion offenders may have hundreds of victims around the world, so coming forward to help law enforcement identify the offender may prevent countless other incidents of sexual exploitation to that victim and others. If you believe someone you know is the victim of sextortion:

• Contact appropriate authorities through any of the following:
  • Your local FBI field office or closest international office (contact information can be found at the FBI website);
  • Toll free: 1-800-CALL-FBI (225-5324);
  • The FBI’s Internet Crime Complaint Center (IC3) website; or
  • The National Center for Missing and Exploited Children (1-800-the-lost or Cybertipline.org).
• Do not delete anything before law enforcement reviews it.
• Provide law enforcement detailed descriptions of the encounters you had online; it may be embarrassing, but it is necessary to find and stop the offender.

Find more information about sextortion.

This Academia Engagement Report was disseminated from OPS’s ISAU. Direct any requests and questions to your FBI Private Sector Coordinator at your local FBI Field Office.

CIS is advising the CUNY community regarding so-called “Secret Shopper” and “Gift Card” scams. Please familiarize yourself with these scams.

Security Threat Identification / Symptoms

Emails containing an offer of employment to be a “secret shopper” or “personal assistant.” Such unsolicited offers are scams. Sometimes the message is sent from a CUNY email address whose account has been compromised or references a CUNY “job placement” office, to lend “legitimacy” to the email.

Recommended User Action

• DO NOT reply to unexpected or unusual emails from any sender.
• DO NOT reply to email with any personal information or passwords. If you have reason to believe that the request is real, call the institution or company directly.
• DO NOT click a link or open an attachment in an unsolicited email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser.
• DO NOT use the same password for your work account, bank, Facebook, etc. In the event you do fall victim to a phishing attempt, perpetrators attempt to use your compromised password to access many online services.
• DO change ALL your passwords if you suspect any account you have access to may be compromised.
• DO be particularly cautious when reading email on a mobile device. It may be easier to miss telltale signs of phishing attempts when reading email on a smaller screen.
• DO remember that official communications should not solicit personal information by email.
• DO complete the 40-minute information security awareness training located at security.cuny.edu.

Security Threat Explained

In these scams, which are often directed at students, an unsolicited secret shopper or personal assistant employment offer is sent by email, sometimes appearing as if sent by a fellow student.

When a victim responds, the scammer will typically arrange to send the victim a (fake) check and request that it be cashed or deposited immediately. The check amount is represented as both pay for work to be performed and expense money to accomplish requested services. The victim is then typically instructed to purchase gifts cards and send back pictures of them with the PIN codes visible. The scammers use the codes to spend the value of the gift cards.

It can take the bank weeks to determine that the check is fake, and when that happens the victim is left responsible for any money advanced and suffers a financial loss from the previously purchased, and now worthless, gift cards.

The fact that legitimate secret shopper jobs exist bolsters the credibility of the scam. The offer email may also refer to a CUNY “job placement” office.

What is a Secret Shopper

Some marketing/merchandising companies legitimately hire “secret” or “mystery” shoppers as a quality assurance measure. Such shoppers anonymously purchase requested items in a store and then report on the experience. Typically, the shopper is reimbursed and sometimes the shopper keeps the purchase and/or receives a small payment. The vast majority of unsolicited secret shopper or personal assistant job offers, however, are scams.

Secret Shopper Scam Recruitment Examples

CUNY has recently experienced several instances of fraudulent, COVID-themed phishing attempts. The intent of this alert is to raise awareness of this ongoing campaign. Please review the following information which can help you recognize similar phishing attempts should one be directed to you.

Security Threat Identification/Symptom

Be on the lookout for phishing email in which COVID-19-related grant money, benefits or a stay-at-home job is offered. Emails may be entitled “Important/Urgent Message from the College Finance Department,” “COVID-19 Benefits” or similar. The email or email attachment contains a link to “sign up” for the fraudulent offers. Please note that the sender of the phishing email could be from a CUNY email account that has been compromised. Samples of several such phishing emails are included at the bottom of this message.

If you think you have already been impacted by this security threat

If you believe you are a victim of an online scam or malware campaign, please report it to the CUNY CIS Service Desk (service.desk@cuny.edu, 646-664-2311) and consider the following actions:

• • Advise your financial institution immediately of any account information that may have been compromised. Watch for unexplained charges to your account.
  • Immediately change any passwords that you might have revealed. If you used the same password for multiple websites make sure to change it for each account, and do not use that same password in the future.
  • Go to https://www.identitytheft.gov/ for information on reporting identity theft.

Recommended User Action

• DO NOT reply to unexpected or unusual email from any sender.
• DO be particularly cautious when the “external source” warning banner is present.
• DO NOT reply to email with, or provide any, personal information or passwords. If you have reason to believe that a request is real, call the department, institution or company directly.
• DO NOT click a link or open an attachment in an unsolicited email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser.
• DO NOT use the same password for your work account, bank, Facebook, etc. In the event you do fall victim to a phishing attempt, perpetrators attempt to use your compromised password to access many online services.
• DO change ALL of your passwords if you suspect any account you have access to may be compromised.
• DO be particularly cautious when reading email on a mobile device. It may be easier to miss telltale signs of phishing attempts when reading email on a smaller screen.
• DO remember that official communications should not solicit personal information by email.
• DO read the CUNY Phishing Advisory posted at security.cuny.edu under CUNY Issued Security Advisories.
• DO complete information security awareness training located at security.cuny.edu.

Security Threat Explained

Such phishing messages request that the recipient click on a link in the email or in an attachment that requests personal or login/password credential information to be entered. The associated website is fraudulent. Information entered in response to the phish is harvested by malicious actors to be used to conduct identity theft, account compromise, data theft, etc.

Security Alert Updates

CIS will send an update if/when there is more information to share.

Novel Version of SHARPEXT Malicious Browser Extension Attributed to North Korea

Summary

The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification to alert private sector partners to a novel version of the SHARPEXT malware, attributed to the North Korean advanced persistent threat (APT) Kimsuky. As of September 2022, the novel SHARPEXT malware was capable of infecting devices through web browser extensions on Firefox, as well as on previously-reported browsers Microsoft Edge, Google Chrome, and Naver Whale.

Threat

After a victim is compromised, APT Kimsuky actors deploy the SHARPEXT– malicious browser extension, which enables them to directly inspect and exfiltrate data from a victim’s webmail account. As of September 2022, the FBI identified a novel Firefox-based version of SHARPEXT, whose capabilities were previously documented in open source reports against Microsoft Edge, Google Chrome, and Naver Whale. The process of installing the malicious extension begins with the execution of PowerShell scripts that exfiltrate the following key Firefox profile-related files:

• Extension-preferences.json
• Extensions.json
• Prefs.js
• Xulstore.json

Upon execution, a script placed on the victim’s Startup folder replaces these files in the victim’s default Firefox profile as part of the following set of actions:

1. Kill firefox.exe via taskkill.exe
2. Create a custom directory named “extentions” [sic]1 under the default Firefox profile’s directory in %APPDATA%.
3. Download files named extension-preferences.json, extensions.json, prefs.json, xulstore.json into the default Firefox profile directory from secmets[.]live/plugin/dlee/cow.php?op=. This overwrites the existing (and previously exfiltrated) versions of these files.
4. Download an .xpi file to the previously-created subdirectory. The .xpi filetype is used for packaging Firefox extensions, and is simply a renamed .zip archive containing JavaScript and other supporting files for the Firefox extension.

FBI analysis revealed the extension to be a HTTP traffic inspector, with the ability to pull and download arbitrary JavaScript code from a command and control server. The extension also contains a variety of helper functions, which the FBI assesses are meant to support code that the extension could download and run when executed.

Recommendations

The FBI recommends the blacklisting of the following SHARPEXT command and control servers:

• Gonamod[.]com
• Secmets[.]live
• Siekis[.]com
• Worldinfocontact[.]club

The FBI further recommends its partners search for the misspelled custom directory name, “extentions,” within their customers’ default Firefox profile directory in %APPDATA%.

For additional information regarding SHARPEXT, please see:

• Volexity: “SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT,” 28 July 2022.

Reporting Notice

The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field-offices. CyWatch can be contacted by phone at 855-292-3937 or by e-mail at CyWatch@fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s National Press Office at npo@fbi.gov or (202) 324-3691.

Social Media Scam

How It Starts

This scam usually begins on social media or through receiving a random text.

On social media, the suspect will create a fake account and then build up “friends” to give the account credibility. They will then have friends in common with you, and will use these mutual friends as part of the ploy to gain your trust. Often, the fake account is female and the victim is male. The fake account will begin a dialogue with the victim that turns sexual in nature and will send explicit photos to the victim. They will then ask for explicit photos in return.

Please note that the same scenario can happen over text message. The suspect will pretend to have texted the wrong number but then start a conversation to develop rapport and gain your trust.

Whether on social media or through text, another variation of this scam is a third party will enter the conversation. They will claim to be a parent and accuse you of sending explicit content to a minor. They will threaten to call law enforcement and have you arrested if you do not pay.

Photos and Extortion

If you send explicit photos, the extortion starts. They will demand money and threaten to send your photos to all your friends, school, work and other public domains if you do not pay.

Even if you pay, they will continue the threats and will ask for more money.

If you did not send any photos, they will use your available social media photos to create fake explicit photos of you. They will then threaten to release them the same way if you do not pay.

What You Can Do to Prevent This

• Never send any explicit photos of yourself to anyone.
• Do not talk to strangers or accept friend requests from unknown parties.
• Remember that accounts get hacked all the time. Even if you know the person, that person may not be who you think it is.

If You Are Being Threatened with Extortion

• Do not respond
• Block the number
• Notify the authorities immediately:
  • Campus Safety: (914) 633-2560. We can provide resources and help you navigate the process.
  • New Rochelle Police Department: (914) 654-2300
  • FBI: 1-800-CALL-FBI

Most suspects are located overseas and it may be difficult for local law enforcement to prosecute them. It is likely you will be referred to the FBI. While there is little chance of recovering any money that may have been sent, reporting the crime may help to ensure it does not happen again.