Feb 222019

Matt Pilon reports:

UConn Health on Friday disclosed that an unauthorized third party had accessed employee email accounts, potentially breaching the privacy of 326,000 patients and others.

Of that number, 1,500 could have had their social security numbers exposed, UConn Health said. For others, potentially acquired details include names, dates of birth, addresses, and billing and appointment information, according to a forensic investigator’s findings just before Christmas. Most of those that could be affected are patients, while a small portion are UConn employees, the state-led, Farmington-based health system, anchored by John Dempsey Hospital, said.

Read more on Hartford Business.

The following  statement appears on UConn Health’s  site:

Notice of Data Security Incident

UConn Health recently learned that an unauthorized third party illegally accessed a limited number of employee email accounts. Upon learning of the incident, we immediately took action, including securing the impacted accounts to prevent further unauthorized access and confirming the security of our email system. We also notified law enforcement and retained a leading forensic security firm to investigate and conduct a comprehensive search for any personal information in the impacted email accounts.

On December 24, 2018, we determined that the accounts contained some personal information, including some individuals’ names, dates of birth, addresses and limited medical information, such as billing and appointment information. The accounts also contained the Social Security numbers of some individuals.

At this point, we are not aware of any fraud or identity theft to any individual as a result of this incident, and do not know if any personal information was ever viewed or acquired by the unauthorized party. Nevertheless, because we cannot isolate exactly what, if any, information may have been accessed, we notified individuals whose information was in the impacted accounts. The incident had no impact on our computer networks or electronic medical record systems.

We have mailed notification letters to potentially impacted individuals for whom we have a valid mailing address. That notice includes information on steps individuals can take to protect themselves against potential fraud or identity theft. In addition, we are offering free identity theft protection services to individuals whose Social Security numbers may be impacted. As a general matter, we recommend that individuals regularly monitor credit reports, account statements and benefit statements. If individuals detect any suspicious activity, they should notify the entity with which the account is maintained, and promptly report the suspicious activity to appropriate law enforcement authorities, including the police and their state attorney general. In addition, anyone looking for information on fraud prevention can review tips provided by the FTC at www.ftc.gov/idtheft.

We take our responsibility to safeguard personal information seriously and apologize for any inconvenience or concern this incident might cause. We have taken and will continue to take steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls.

Individuals with questions may call our dedicated toll-free inquiry line at 1-877-734-5353 between 9 a.m. and 9 p.m. Eastern Time, Monday through Friday.

Feb 202019

Ding! Ding! Ding!

I think we have our first W-2 phishing report of this year, although of course I may have missed other ones. This one involves the Centinela Valley Union High School District in California.  From their notification to the state:

As a follow up to the email sent to you on January 31, 2019, we wanted to provide you additional information about the recent incident involving your personal information.

What Happened

On January 31, 2019, we learned that one of our employees received a phishing email designed to appear as if it came from one of our other employees. Upon discovery, we immediately began an investigation to determine the scope of the incident and to verify what information may have been affected. We also notified the IRS, state tax boards, and federal law enforcement authorities, and we are cooperating with their ongoing investigation.

As a result of this phishing incident, an unauthorized individual may have obtained IRS Form W-2 information for our employees, including employee names, addresses, Social Security numbers, and 2018 wage information.

Read more of the full notification here.

As of the 2008-2009 school year, the district had 614 employees. I do not yet know the current number, however.

Feb 162019

Anita Lee reports:

Memorial Hospital is offering free credit monitoring and identify protection services to a “limited number” of patients whose Social Security numbers, health-insurance information and other personal details were part of an employee email account that a third party accessed.

Janet Stuart, the hospital’s manager of marketing and communications, said the email account contained information on about 30,000 patients, including names, birth dates, medical care and health-insurance information. Social Security numbers were listed for a “limited number” of those patients, a news release said.

Read more on Biloxi Sun Herald.The hospital’s notice can be found on their website, here.

Feb 132019

Juha Saarinen reports:

Beware malware-laden missives.

Email filtering company Mailguard is warning about an active phishing campaign emanating from compromised email accounts hosted on Optus’ optusnet.com.au domain.

The messages purport to be advice recipients of remittance advices, invoices and insurance documents that are available for download.

Should users click on the links to the documents in the messages, they will download malware.

Read more on ITNews.

In August, 2018,  we saw another phishing campaign. For example, Gizmodo reported:

The Australian Communications and Media Authority (ACMA) has issued a warning regarding an Optus email scam that is currently circulating in Aussie inboxes. Here’s what you need to know.

The fake emails are disguised as unpaid bills and contain the subject line ‘We are unable to process your last payment’. The aim is to phish for credit card information.

h/t, “Russy”

Feb 042019

The FBI has published more about a case that was previously reported on this site (the DOJ’s press release at the time can be found here).  Today,  the FBI wrote:

Two men who were citizens of Nigeria, living in Malaysia, and conducting their crimes from behind computers likely assumed they were safe from the reach of American law enforcement when they hacked into university computer systems to steal paychecks and tax returns.

But through strong partnerships with the Georgia Institute of Technology (Georgia Tech), the Department of Justice, and Malaysian authorities, the FBI was able to identify, arrest, and extradite Olayinka Olaniyi and Damilola Soloman Ibiwoye to face charges of conspiracy to commit wire fraud, computer fraud, and aggravated identity theft.

Ibiwoye pleaded guilty and was sentenced to 39 months in prison. Olaniyi was convicted by a federal jury and is spending nearly six years in jail.

The sophisticated operation led by Olaniyi and Ibiwoye, who were living in Kuala Lumpur, specifically targeted U.S. colleges and universities, reported Special Agent Tyson Fowler from the FBI’s Atlanta Field Office. “We found their computer folders with documents showing efforts to phish employees at 130 to 140 schools,” Fowler said. “They would steal a logo and do the work to make it look legitimate.”

The duo sent fraudulent emails to personnel at these institutions in an attempt to gain system credentials. These phishing messages appeared official but they took unsuspecting recipients to fraudulent sites that allowed the criminals to record user names and passwords. Armed with this information, the hackers could then enter the official school systems and use the stolen credentials to reroute employees’ paychecks and access financial documents. Fowler says the hackers were successful in obtaining access at about 20 schools.

When Olaniyi and Ibiwoye infiltrated Georgia Tech, however, the quick action of the university’s information security team was key to uncovering the identity and methods of the criminals and putting an end to their efforts.

“We would not have been able to see what we saw without Georgia Tech’s support. They wanted to be a partner in holding people accountable.”

Tyson Fowler, special agent, FBI Atlanta

Fowler said Georgia Tech personnel began getting reports over the Thanksgiving holiday in 2014 that employees had not received paychecks. The university quickly determined their network had been compromised and many employees had their payroll direct deposit information changed. “Georgia Tech reported it to us,” said Fowler. “We were on site the next day.”

Sitting with the network team at Georgia Tech, FBI investigators were able to track and monitor the online movements of the hackers as they used the university’s network to not only carry out their crimes but also to access their personal messaging applications and email accounts.

“By watching them online, we could see 20 people chatting. People from all over the globe,” explained Fowler. “They had ties to many others. Some people were better at the phishing emails; some had bank accounts lined up.”

Fowler said that if the criminals had rerouted employee paychecks to international accounts, it would have immediately raised red flags. For this reason, the scammers needed a ready supply of U.S. bank accounts through which to funnel the stolen pay. They worked with other criminals, who through romance scams or other tactics, had convinced individuals to allow them to use their bank accounts.

The investigative team traced the computers used by the suspects to an Internet Protocol (IP) address in Malaysia. Then, granted search warrants for the suspects’ email accounts, the FBI was able to positively identify the two suspects by name.

With answers to who and where the hackers were, the question then became how to reach them. The United States does not have an extradition treaty with Malaysia, but the FBI’s legal attaché in Kuala Lampur has a strong working relationship with Malaysian authorities. When the FBI in Atlanta identified the hackers, the legal attaché’s office shared the information with the Malaysian Royal Police.

In November 2015, a year after Georgia Tech detected the intrusion, Fowler and another Atlanta-based FBI agent got on a plane to Kuala Lampur.

“I can’t give the Malaysians enough credit,” said Fowler. “They truly wanted to help and they wanted to address the issue.” When the FBI agents provided the Royal Malaysian Police with the IP address they had traced to the Georgia Tech intrusion, the local authorities confirmed that it was registered to the same two suspects the FBI had identified. It also turned out that the two were in Malaysia on expired visas. The Malaysians were able to arrest them for immigration violations.

By that time, the FBI had also uncovered that the payroll diversion was the beginning of a larger scheme: The hackers had also gone after hundreds of W2s and had switched over to fraudulently filing for tax refunds with the stolen documents. In total, they attempted to steal more than $6 million.

With the cooperation of the Malaysians, the FBI issued an arrest warrant for the two men in the United States, which they asked the Malaysian authorities to honor. The Royal Malaysian Police were able to do so by citing the suspects on equivalent local violations.

On a second trip to Malaysia in November 2016, the agents flew back to Atlanta with the suspects in their custody.

Fowler notes that the entry point for the hackers in this case was a common one: human error. “You can have the best security in the world, but then there is the human element.” Fowler stressed that security teams at institutions and corporations should do phishing awareness training and testing for employees and institute two-factor authentication to prevent this kind of intrusion and theft.

The other lesson in this case is that the FBI needs the help of victims. “Come forward,” Fowler emphasized. “We can only catch the criminals when someone reports the crime.” Georgia Tech’s early detection of the breach and willingness to work with law enforcement made a huge difference, according to Fowler. “We would not have been able to see what we saw without Georgia Tech’s support. They wanted to be a partner in holding people accountable.”