Information Security

October is Cybersecurity Awareness Month, a global effort to help everyone to stay safer and more secure online when using technology whenever and however they connect. CUNY is once again participating in the National Cybersecurity Awareness Month (NCSAM) program, run by the National Cybersecurity Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security, to create awareness about cybersecurity. This year’s theme is “See Yourself in Cyber. #BeCyberSmart.” and focuses on the following four key behaviors to protect yourself online:
Week 1 (Oct 3–Oct 7) – Enabling Multi-factor Authentication (MFA)
Week 2 (Oct 10–Oct 14) – Using strong passwords and a password manager
Week 3 (Oct 17–Oct 21) – Updating your software
Week 4 (Oct 24–Oct 28) – Recognizing and reporting phishing
Facts and Figures:

• 43% of adults have shared their password with someone. (Google)
• Just 20% of Android devices use the latest and safest OS version. (Symantec)
• 72% of respondents reported that they checked to see whether messages were legitimate (i.e., phishing or a scam) compared to 10% who reported not doing so. (NCA)
• Phishing attacks in data breaches increased 11% from 2019 to 2020. (Verizon)

CUNY has launched a 25-minute interactive Cybersecurity Awareness for Students that is tailored to CUNY students and features a CUNY student. This course helps you gain a comprehensive understanding of the cybersecurity risks we all face, along with some best practices for safeguarding your data, so you can avoid opening the wrong link or attachment. You can find this course in Blackboard under your Organizations section.

Phishing attacks, spam, and hacked accounts have unfortunately become common occurrences in higher education. Articles on Best Colleges and Inside Higher Education websites note that colleges and students are a favorite target for scams,harvesting personal information, and ransomware attacks. Increasing awareness about online risks is your, and the University’s, best defense against cyber threats and protecting online information and data.

Please spend 25 minutes to learn how you can protect yourself against online threats. This brief time investment could protect you from serious financial, privacy or data loss consequences later on.

Log in to Blackboard to take the course.

• Use software products that are currently maintained by their publisher and keep the software products updated with critical security patches.
• Use secure passwords that cannot be easily guessed and do not share your password.
• Storage devices (hard disks, tape, diskette, CDs, DVDs, cell phones, digital copiers or other devices) that contain Non-Public University Information must be securely overwritten or physically destroyed in a manner that prevents unauthorized disclosure.

• Delete unneeded electronic information which contains personal identifiers.
• Ensure critical data files are backed up and the backups are securely stored in another location.
• Physically secure your computer by using security cables and locking building/office doors and windows.
• Complete the Security Awareness Program. It is approximately 30 minutes in length, covering the basics of why information security is important and best practices. Everyone at Medgar Evers College who handles confidential data is required to enroll and complete this training. All others are strongly urged to do the same. When you connect to this site, please enter your name, email address and select Medgar Evers College from the pull-down menu.

I would like to warn our users regarding a phishing email containing a link to a malicious website targeting the capture of CUNYfirst credentials. The fraudulent email was received on another campus. Please report to helpit@mec.cuny.edu if you receive such email and please don’t click on the link. If you responded to the phish by clicking on the link and, you must change your CUNYfirst password immediately by going to https://managelogin.cuny.edu/ and clicking on “Manage your CUNY Login Account” link. The link to the malicious website (defanged) is: hXXps://templatesbazaar.com/halimaaziz/Chesscharity/ssologin.cuny.edu.html CUNYfirst Scams (pdf)

CIS is advising the CUNY community regarding so-called “Secret Shopper” and “Gift Card” scams. Please familiarize yourself with these scams. Security Threat Identification / Symptoms Email containing an offer of employment to be a “secret shopper” or “personal assistant.” Such unsolicited offers are scams. Sometimes the message is sent from a CUNY email address whose account has been compromised, or references a CUNY “job placement” office, to lend “legitimacy” to the email. Recommended User Action DO NOT reply to unexpected or unusual email from any sender DO NOT reply to email with any personal information or passwords. If you have reason to believe that the request is real, call the institution or company directly DO NOT click a link or open an attachment in an unsolicited email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser DO NOT use the same password for your work account, bank, Facebook, etc. In the event you do fall victim to a phishing attempt, perpetrators attempt to use your compromised password to access many online services DO change ALL your passwords if you suspect any account you have access to may be compromised DO be particularly cautious when reading email on a mobile device. It may be easier to miss telltale signs of phishing attempts when reading email on a smaller screen DO remember that official communications should not solicit personal information by email DO complete the 40-minute information security awareness training located at security.cuny.edu Secret-Mystery Shopper Scams (pdf)

A malicious website is pretending to be the live map for Coronavirus COVID-19 Global Cases by John Hopkins University and is directing users to visit a malware website. Visiting this website infects the user’s computer or mobile device with the AZORult trojan, an information-stealing program which can exfiltrate a variety of sensitive data from the user’s computer. It is likely being spread via infected email attachments, malicious online advertisements, and social engineering. Anyone searching the Internet for a Coronavirus map could unwittingly navigate to this malicious website, and their data be compromised. Please be extra vigilant while accessing your email and browsing the Internet. COVID-19 Scams and Threats

Several students have been victimized by a “Secret Shopper” or Gift Card scams

• Background: some marketing/merchandising companies hire “secret” or “mystery” shoppers as a quality assurance measure. Such anonymous shoppers make a particular purchase in a store and then report on the experience. Typically, the shopper is reimbursed and sometimes the shopper keeps the purchase and/or receives a small payment
• In these scams, students are emailed a secret shopper employment offer, sometimes from a fellow student’s compromised email account Information Security Computing and Information Services Information Security Manager’s Meeting
• If a student responds, they will typically be asked to purchase gift cards and provide the card codes with the promise of reimbursement/payment
• Of course the reimbursement never comes
• The fact that legitimate secret shopper jobs exist bolsters the credibility of the scam. The offer email may also refer to a CUNY “job placement” office.

What can we do?

• Educate students of the scam through advisory communications
• Work with student groups, Student Affairs, etc., to get the word out https://www.consumer.ftc.gov/articles/0053-mystery-shopper-scams

Phishing Campaigns Scams (pdf)