Weekly Threat Report - 25th January 2019
Schools targeted in fees phishing scam
Newcastle Royal Grammar School has been targeted with a phishing attack in which fraudulent emails sent from a school account email offered parents a 25% discount on fees for paying quickly via the Bitcoin cryptocurrency.
Emails which included spelling, grammatical and punctuation errors were sent from the address of the school bursar, who is responsible for fees. The school reported the attack to the police and the Information Commissioner’s Office (ICO), as required under GDPR. The school is also working with the company which provides its email systems, iSAMS, to establish exactly what happened.
The ICO has said that while it will assess the phishing scam as per the information provided, it is also aware of "other phishing type attacks that have been targeted towards schools".
Any organisation dealing with sensitive personal information, including schools and universities, is at a higher risk of being targeted. The NCSC has published 15 good practice measures for the protection of bulk personal data.
Royal Grammar School has made clear that it would never ask for money or bank details in this way. In order to mitigate the risk of phishing attacks, people should be vigilant around any message that purports to be from an organisation they deal with – whether schools, banks or businesses. This is particularly important when emails ask for personal information, banking details or contains unexpected mistakes, attachments or links.
The NCSC strongly encourages anyone who believes they have been a victim of this or other similar activity to report it to Action Fraud.
Research suggests that smart buildings are vulnerable to hackers
According to research by cyber security firm ForeScout, Internet of Things (IoT) devices within smart buildings are regularly unsecured from hackers.
ForeScout reportedly discovered thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools.
Heating, ventilation, and air conditioning (HVAC) systems were among those that the team believes it could have taken control over after it developed its own proof-of-concept malware.
Physical access control systems, which prohibit non-authorised personnel from accessing restricted areas in hospitals and airports, were also found to be vulnerable.
The NCSC and DCMS have published the Secure by Design Code of Practice to help developers build secure smart devices, as well as consumer guidance for smart devices in the home.
GoDaddy authentication vulnerability exploited for phishing campaigns
A security researcher has discovered a vulnerability with GoDaddy.com which impacts the way it handles domain name server (DNS) change requests, allowing hackers to hijack domains. The vulnerability allowed any user to add a domain to their account without any validation that they actually owned the domain. The researcher estimates that GoDaddy's authentication weakness left more than 553,000 domains vulnerable to hijacking. This same weakness is also believed to have affected other major internet service providers and leading to phishing and malware attacks. The weakness allegedly made high-profile scams possible, including a US bomb threat hoax and a sextortion email campaign from 2018. The NCSC suggests that 2-factor authentication is enabled in all DNS hosting accounts, and the passwords are not easily guessed, and not re-used across services. Eligible public sector domain owners should register their subdomains in Web Check which also includes detection of some subdomain takeover vulnerabilities.