TLP: WHITE MS-ISAC CYBER ALERT

Subject:MS-ISAC Cyber Alert

CIS and MS-ISAC Branding Used in Fraud Campaigns

On April 24-25, 2017, the Center for Internet Security (CIS) received multiple reports that CIS and Multi-State Information Sharing and Analysis Center (MS-ISAC) branding was used in both phishing emails sent to members and a Tech Support Scam call against citizens. These fraudulent activities are not affiliated with CIS in any capacity and we ask that anyone receiving phishing emails or a Tech Support Scam call, using any of the CIS names or branding, report the activity to the CIS Security Operations Center (SOC) at SOC@cisecurity.org.

  • Phishing - The MS-ISAC received reports of phishing emails sent to members from an email address that uses the MS-ISAC name as the email alias. The alias, email text, attachment name varies among the emails, but the emails are always short, include a reference to the attached PDF file, and close with “MS-ISAC.” The attachment is infected with the banking Trojan Emotet.

Key indicators for these phishing emails are:

  • The email is sent from an email address that uses “MS-ISAC” or something similar as the alias.
  • The actual sender email address varies, but is not affiliated with CIS or the MS-ISAC.
  • The text of the email is typically short and includes a reference to the attachment, encouraging the recipient to open it.

The emails always close with “MS-ISAC.” Example email bodies include:

  • “Your report is attached in PDF format. Attachments: <attachment name>.pdf Thanks for your business! MS-ISAC”"Your report is attached in PDF format. <attachment name>.pdf. Thanks for your business! MS-ISAC”
  • "Your report is attached in PDF format. <attachment name>.pdf. Thanks for your business! MS-ISAC”“Your report is attached in PDF format. <attachment name>.pdf Regards, MS-ISAC”
  • “Your report is attached in PDF format. <attachment name>.pdf Regards, MS-ISAC”The attachments include hyperlinks going
  • The attachments include hyperlinks going to: hXXp://jesslove[.]com[.]au/view-pdf-MNxq-83285-RYOm/Of note, the MS-ISAC is aware that Department of Homeland Security’s (DHS) programs may be named in related phishing campaigns. Other names being used include the National Cybersecurity & Communications Integration Center (NCCIC) and the Homeland Security Intelligence Network (HSIN).
  • Of note, the MS-ISAC is aware that Department of Homeland Security’s (DHS) programs may be named in related phishing campaigns. Other names being used include the National Cybersecurity & Communications Integration Center (NCCIC) and the Homeland Security Intelligence Network (HSIN).Tech Support Scam - A citizen reported receiving a phone call from the CIS “Benchmarks Cyber Support.” The caller claimed that the citizen had infected hosts on their network. This follows a classic Tech Support Call scam format, as the Tech Support Call scam frequently references well-known software and
  • Tech Support Scam - A citizen reported receiving a phone call from the CIS “Benchmarks Cyber Support.” The caller claimed that the citizen had infected hosts on their network. This follows a classic Tech Support Call scam format, as the Tech Support Call scam frequently references well-known software and cyber security companies in an effort to add legitimacy to the call.

Recommendations:

CIS employees will not ever request that you provide us with remote access to your network or to provide sensitive information, such as passwords or bank account information. Email communications from the MS-ISAC will originate from MSISAC.ORG or CISECURITY.ORG email addresses and will contain proper MS-ISAC and CIS branding.

We recommend the following general best practices, to limit the effect of phishing emails and scams on your organization:

  1. Train end users regarding phishing and social engineering tactics and inform users of the possibility of these tactics being used in a telephone call, as seen in the Tech Support Call Scam. Remind users that all suspicious phone calls and emails should be reported to the security and/or information technology (IT) departments according to local policy.
  2. Use antivirus programs with automatic updates of signatures and software.
  3. Mark external emails with a banner denoting they from an external source.
  4. Implement filters at the email gateway to filter out emails with known phishing indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  5. Utilize Sender Policy Framework (SPF), a validation system that minimizes spam emails by detecting email spoofing and allowing administrators to specify who is allowed to send email from a given domain by creating a SPF record in the Domain Name System (DNS).Adhere to the principal of least privilege.
  6. Adhere to the principal of least privilege.
  7. Do not rely on caller identification (Caller ID) to authenticate a caller. Callers can spoof telephone numbers so they appear to be coming from another location or entity.
  8. Adhere to best practices, such as those described in the CIS Critical Security Controls and the CIS Benchmarks programs.

Further information on the Tech Support Call scam and phishing emails are available from the MS-ISAC at: https://msisac.cisecurity.org/whitepaper/.
If you experience similar targeting, please do not hesitate to reach out to the MS-ISAC for assistance on this matter. We perform a variety of free incident response services including log analysis, malware analysis, computer forensics, and can assist with the development of a mitigation and recovery strategy. Requests for these services can be obtained by calling 1-866-787-4722, replying to this email, or sending an email to SOC@msisac.org.

The MS-ISAC is interested in your comments - an anonymous feedback survey is available at: https://www.surveymonkey.com/r/MSISACProductEvaluation.

24×7 Security Operations Center

Multi-State Information Sharing and Analysis Center (MS-ISAC)

31 Tech Valley Drive

East Greenbush, NY 12061

SOC@cisecurity.org - 1-866-787-4722                 

TLP: WHITE

Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.

http://www.us-cert.gov/tlp/

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.