CyberOmaha Weekly – Mar 2, 2018

Welcome to CyberOmaha Weekly, a weekly roundup of security news collected from around the Internet.  Please send news tips and suggestions to

Application Security

2/27/2018: In-the-Wild DDoSes Use New Way to Achieve Unthinkable Sizes

Hackers have found a way to amplify distributed denial-of-service attacks by an unprecedented 51,000 times their original strength in a development that whitehats say could lead to new record-setting assaults that take out websites and Internet infrastructure. More… (via ArsTechnica)

3/2/2018: A Secure Development Approach Pays Off

Software security shouldn’t be an afterthought. That’s why the secure software development life cycle deserves a fresh look. More… (via DarkReading)

Operating System Security

2/15/2018: This Indian Text Will Crash ANY iPhone!

EverythingApplePro demonstrates how sending a specific Telugu character to an iPhone, iPad, or Mac user can cause the receiving device to crash. Apple addressed the issue in updates (tvOS 11.2.6, watchOS 4.2.3, iOS 11.2.6, macOS High Sierra 10.13.3) on February 19, 2018 – Apple advises users to apply the update.

3/1/2018: Microsoft Lobs Skylake Spectre Microcode Fixes Out Through Its Windows

Microsoft is pushing out another round of security updates to mitigate data-leaking Spectre side-channel vulnerabilities in modern Intel x64 chips. More… (via The Register)

The Web

2/23/2018:  L.A. Time Website Injected with Monero Cryptocurrency Mining Script

The cryptojacking attack appears to have persisted for weeks before being addressed, as it was configured to not max out CPU usage. Hackers injected it through an unsecured AWS S3 bucket. More… (via Tech Republic)

2/26/2018: E-Mail Leaves an Evidence Trail

If you’re going to commit an illegal act, it’s best not to discuss it in e-mail. It’s also best to Google tech instructions rather than asking someone else to do it. More… (via Schneier on Security)

2/27/2018: Memcached Servers Being Exploited in Huge DDoS Attacks

Multiple vendors this week say they have seen a recent spike in UDP attacks coming in via port 11211. More… (via DarkReading)

3/1/2018: 23k HTTPS Certs Will Be Axes in Next 23 hours After Private Keys Leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. More… (The Register)


2/23/2018: ‘OMG’: New Mirai Variant Converts IoT Devices into Proxy Servers

The latest iteration of Mirai is dubbed “OMG,” and turns infected IoT devices into proxy servers while also retaining the original malware’s DDoS attack capabilities. More … (via DarkReading)

3/1/2018: Securing the Web of Wearables

Why security for the Internet of Things demands that businesses revamp their software development lifecycle. More… (via DarkReading)

Personal Privacy & Security

1/28/2018: Registered at SSA.GOV? Good for You, But Keep Your Guard Up

An older article but given that it’s tax season, good tips for keeping your personal information safe. According to the article, “even if you are not yet drawing benefits from the agency — because identity thieves have been registering accounts in peoples’ names and siphoning retirement and/or disability funds. This is the story of a Midwest couple that took all the right precautions and still got hit by ID thieves who impersonated them to the SSA directly over the phone.” More… (via KrebsOnSecurity)

2/06/2018: Would You Have Spotted This Skimmer?

When you realize how easy it is for thieves to compromise an ATM or credit card terminal with skimming devices, it’s difficult not to inspect or even pull on these machines when you’re forced to use them personally — half expecting something will come detached. For those unfamiliar with the stealth of these skimming devices and the thieves who install them, read on. More… (via KrebsOnSecurity)

2/13/2018: IRS Urges Taxpayers to Watch Out for Erroneous Refunds; Beware of Fake Calls to Return Money to a Collection Agency

The Internal Revenue Service today warned taxpayers of a quickly growing scam involving erroneous tax refunds being deposited into their bank accounts. The IRS also offered a step-by-step explanation for how to return the funds and avoid being scammed. More… (via

2/21/2018: FBI Warns of Increase in W-2 Phishing Campaigns

Beginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information. Sometimes these requests were followed by or combined with a request for an unauthorized wire transfer. More… (via

2/22/2018: Chase ‘Glitch’ Exposed Customer Accounts

Multiple customers have reported logging in to their bank accounts, only to be presented with another customer’s bank account details. Chase has acknowledged the incident, saying it was caused by an internal “glitch” Wednesday evening that did not involve any kind of hacking attempt or cyber attack. More… (via KrebsOnSecurity)

2/22/2018: Shopping for a VPN App? Read This.

You probably know by now that using your mobile device on the public Wi-Fi network of your local coffee shop or airport poses some risk. Public networks are not very secure – or, well, private – which makes it easy for others to intercept your data. So, what can you do to keep your mobile data private and secure while out and about? Some consumers have started using Virtual Private Network (VPN) apps to shield the information on their mobile devices from prying eyes on public networks. Before you download a VPN app, you should know that there are benefits and risks.  More… (via

2/27/2018: Tips for Using Peer-to-Peer Payment Systems and Apps

Online peer-to-peer, or P2P, payment systems let you send money to people quickly. I’ve used them to collect money from the parents on my daughter’s soccer team and to send money to my brothers when we’ve bought a gift for a friend. Personally, I almost always know where my phone is, but I can’t say the same for my checkbook. More… (via


2/20/2018: The Emerging Link Between Well-Being and Cyber Security

When you think of important employee wellness benefits, cyber security services should be top of mind, given the epidemic of data breaches in recent years. More… (via Employee Benefit Advisor)

2/23/2018: Visa: EMV Cards Drove 70% Decline in Fraud

Visa reports, “For merchants who have completed the [EMV] chip upgrade, counterfeit fraud dollars dropped 70% in September 2017 compared to December 2017.” More… (via

3/1/2018: The top Frauds of 2017

The numbers are in, the counts have been made, and today the FTC announced what we heard from you during 2017. Here are some highlights. More… (via

3/1/2018: Major Data Breach at Marine Forces Reserve Impacts Thousands

The personal information of thousands of Marines, sailors and civilians, including bank account numbers, was compromised in a major data spillage emanating from U.S. Marine Corps Forces Reserve. More… (via Marine Corps Times)


CyberOmaha Weekly – Feb 19, 2018

Welcome to CyberOmaha Weekly, a weekly roundup of security news collected from around the Internet.  Please send news tips and suggestions to

Application Security

2/15/18: Multi-Stage Word Attack Infects Users Without Using Macros

Spam distributors are using a new technique to infect users with malware, and while this attack relies on having users open Word documents, it does not involve users having to allow the execution of macro scripts. More… (via BleepingComputer)

2/22/18:  Hackers Are Selling Legitimate Code-Signing Certificates to Evade Malware Detection

Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims. More… (via ZDNet)

Operating System Security

2/19/18: Apple Updates All Its Operating Systems to Address Indian Telugu Crash

Apple has released software updates for all four of its consumer operating systems—iOS, watchOS, tvOS, and macOS—to tackle an issue that allowed usage of the Indian Telugu character to cause those devices to crash.  More… (via ArsTechnica)

2/21/18:  Intel’s New Spectre Fix: Skylake, Kaby Lake, Coffee Lake Chips Get Stable Microcode

Customers running machines with newer Intel chips can expect to receive stable firmware updates for the Spectre CPU attack Variant 2 soon. More… (via ZDNet)

The Cloud

2/8/18:  New POS Malware Seals Data via DNS Traffic

Researchers at Forcepoint have discovered new point-of-sale (POS) malware disguised as a LogMeIn service pack that is designed to steal data from the magnetic stripe on the back of payment cards. More… (via DarkReading)

2/20/18: Money Laundering Via Author Impersonation on Amazon?

Patrick Reames had no idea why sent him a 1099 form saying he’d made almost $24,000 selling books via Createspace, the company’s on-demand publishing arm. That is, until he searched the site for his name and discovered someone has been using it to peddle a $555 book that’s full of nothing but gibberish. More… (via KrebsOnSecurity)

2/22:18: Unsecured Amazon S3 Buckets are Prime Cloud Target for Malware Attacks

Thousands of S3 buckets are incorrectly configured as being publicly writable, making them easy to exploit. More… (via TechRepublic)


2/22/18: Car Companies are Preparing to Sell Consumer Data to the Highest Bidder

Connected cars are going to monetize data, but most drivers don’t know that. More … (via ArsTechnica)


2/19/18: IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts

Identity thieves who specialize in tax refund fraud have been busy of late hacking online accounts at multiple tax preparation firms, using them to file phony refund requests. Once the Internal Revenue Service processes the return and deposits money into bank accounts of the hacked firms’ clients, the crooks contact those clients posing as a collection agency and demand that the money be “returned.” More… (via KrebsOnSecurity)

2/22/18: It’s Not What You Know, It’s What You Can Prove That Matters to Investigators

Achieving the data visibility to ensure you can provide auditors with the information they need after a breach, and do so in just a few days, has never been more difficult. More… (via DarkReading)


Click Here to Validate Your Credentials…

by Guillermo J. Rosas, Faculty, Information Technology, Metropolitan Community College

General Disclaimer

This write-up has been provided for informational and educational purposes only.I strongly discourage students and staff from attempting the same exploration.

The exploratory tasks discussed in this write-up were performed on a virtual machine hosted on a physical machine separated from other computers on my home network. The host machine is scheduled to be rebuilt during quarter break and it is not used aside from experimenting. It’s important to note, the destination website could have potentially hosted malware and my machine could have become infected in the process of this write-up.

In other words, enjoy the write-up but don’t try this at home, kids.


Many of us have been the recipients of a large number of phishing emails over the past few weeks. Figure 1 (below) shows one of the many emails I received earlier this week.

An onslaught of phishing emails!
Figure 1

As shown in Figure 1, the email directs the recipient to verify their email by clicking on a link provided in the body of the email.

If you hover over the link (without clicking on it), Outlook will display the destination URL (or where the link will take you if you click on it), which is (Figure 2).  This should be a huge red flag — Weebly is a web-hosting service that provides a simple drag-and-drop interface building to help small organizations quickly and easily build websites. The important thing is, this URL is pointing to a site that is not MCCNEB.EDU.

Hovering over the link (without clicking on it), Outlook will display the linked URL, which is
Figure 2

The browser-based version of Outlook (and other email services such as GMail) will also display a link’s destination URL when hovered over; however, the destination URL will appear at the bottom of the browser window – as shown in Figure 3.

A view of the destination URL displayed at the bottom of the browser window.
Figure 3

Consider for a moment, the websites you browse to access school resources:

  • will take you to the school’s webpage
  • will take you to MyWay, where you can access your student email, OneDrive, Blackboard, etc.
  • will take you to the Blackboard home page.

The one common thread amongst the websites listed above, is that they all end with — in no instance does a school website end with .com or with

So, What Happens If I Click On The Link?

I thought you’d never ask . . .

I suspect a number of students have clicked on the links in the phishing emails. My suspicion stems from the fact that the emails are coming from internal addresses.

Out of curiosity, let’s see what happens when we browse to one of the links in a phishing email….

Browsing to took me to the page shown in Figure 4 (below). What a nice page.

The page that appears when we click on a link in a phishing email.
Figure 4

Note the information being collected by the form shown in Figure 3: First and Last Name, Email Address and Password.

The page does contain Metropolitan Community College branding – note the use of the school’s logo.

Let’s scroll down to the bottom of the page (Figure 5).

The bottom of the page hosted at
Figure 5

A big red flag, in my mind (aside from the abhorrent look of the page and the fact that the page is hosted on are:

  • the giant Create a free website button; and,
  • the Powered by Weebly graphic

Let’s take a quick look at the source code of the webpage (Figure 6).


Viewing the source code of the page hosted at
Figure 6

In Figure 6 (above), I’ve highlighted the HTML that defines the initial part of the form shown in Figure 4.

Without getting too technical, when a visitor fills out the form and clicks Submit, the information contained in the form will be sent to — basically, when the user clicks Submit, the information in the form will be sent to a script on the server.  I do not have insight into that script but I suspect the script simply collects the information and writes it into a database, collecting usernames and passwords from users who clicked on the link in the phishing email and subsequently provided their credentials.

Now this guy has someone’s credentials.

Hacker Image from Wikimedia Commons
Figure 7 – By Chinna98 (Own work) CC BY-SA 4.0 (, via Wikimedia Commons

So What?

So, a hacker has my MCC credentials — so what!?

Consider what you have access to at the school. Even if you’re a student, you have access to:

  • Your email account;
  • Your classes via Blackboard;
  • Your academic record;
  • Your financial information;
  • Your demographic information including home address, telephone number, etc.; and,
  • Your contacts

And so forth and so on.  The key thing in that list is your information. At MCC, nobody should have access to your information but you, some staff, and your instructors.

How Do I Stay Safe?

Healthy skepticism.

  • Be wary of any links contained in email even if the email comes from a known or trusted contact. Consider, the phishing attacks of late are coming from MCC user accounts.
  • Preview links contained in emails by hovering over them in Outlook to display the destination URL (where the link will take you if you click on it).
  • MCC will never ask you to provide your username or password
  • Change your password frequently. The school will make you change your password every 90 days, but why wait?

Help! I Clicked A Link!

If you happen to click on a suspicious link and if you think your credentials may be compromised, change your password by visiting the MCC password station at


Guillermo J. Rosas is a full-time faculty member in the Business and Information Technology Department at Metropolitan Community College (MCC). He has over 18 years of experience in the field of Information Technology. Prior to joining MCC’s faculty, Guillermo worked as a Network Defense technician at the USSTRATCOM Network Operations Center.

Guillermo holds a BS in Information Systems from Bellevue University, and a MBA from Bellevue University. His professional certifications include: A+, Security+, Network+, Linux+, Certified Ethical Hacker, and Certified Information System Security Professional (CISSP).


Careful – Don’t Let Yourself Get Duped!

Contributed by Glenn Flenorl, Cybersecurity Major

In Today’s world of technology and learning, the threat of someone misusing technology is always present.  Recently, there have been a rash of bogus emails going around the school as seen below (Figure 1).  This is called Phishing.

Figure 1: A Sample Phishing Email

What is a phishing attack? Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message ( google 2017). This is a example of what been going around the campus.  As We take a closer look at the email it looks all normal. That’s what its suppose to do look normal.  Then we look at the name now since I’m a student here I got to thinking to verify things I looked up the name.  There is a number of things faculty and staff to do if they get something that looks bogus or untrustworthy.  Simple ask your co-workers, look up the name like I did in the school staff dircetory.  That  was evdince for me to say this is not real and I told co-workers and students right away.  And the school always sends out help deck emails with no link in in its been standard protocol here at the college that the HELP DESK does not put links in the emails. So it is good practices to always be sure of the email that is being sent to you is by the party the is familiar.  Step one is to go to the MCC My WAY site click Menu (Figure 2).

Figure 2: MyWay

Second go to the employee directory (Figure 3).  In the drop down menu got to help desk to get yourself armed with knowledge to better combat phishing attempts by knowing who is in the help desk department and or building location.

Figure 3: The Directory Search Page

I just happen to know building 4 is where IT HELP DESK is here on Fort campus an as you can see there is no Hoffman anywhere (Figure 4).

Figure 4: No Hoffman Here!

Just by knowing who is in an around the technology can better prepare us as learners and as staff to not get dupped into bogus email opening.

My name is Glenn and I’m an Information Technology Assurance Transfer. I work at MCC’s 180-Re-entry assistance program as a peer-mentor. A former office mate (Lyndsie Gibbs) encouraged me jump back into INFO SCI. and I really enjoy the learning and using the new technology available.

The Art of Phishing: How to Protect Yourself

Contributed by Matthew Reida, Cybersecurity Major

Phishing is a type of attack that relies heavily on human nature. Humans are easily distracted by things that are too good to be true. Most phishing attacks are emailed, and some are very well disguised. They often imitate a normal email communication from a bank or online store. The goal of a phishing email is not to “hack” a user by exploiting their system, but rather to obtain information from a user, who is willing to give it away. The user usually makes the first move, by interacting with the email in some way; most often times opening a link that is contained in the body of the email, or opening an attachment.

In order for the phish to accomplish this, it must appear legitimate: many emails are sent from supposedly reputable companies, however the “from” email address can be easily spoofed. If one looks closely, many times an email claiming to come from “JP Morgan Chase”, for example, may actually come from an email address that does not belong to that domain. More sophisticated and aimed phishing attacks may actually spoof the “from” field in an email header, meaning that information in the header field is forged, making it appear to even careful users that the sender is legitimate, even though the email originated from outside that domain.

Once the user is convinced that the email is legitimate, attackers coax the user to interact with the message, like asking the user to open a link within the email. This is dangerous, because attackers can create their own website, designing it in a way that looks similar to the target site, and if one does not look closely to the opened URL, they can voluntarily give away their passwords to attackers.

The best way to defend against this sort of attack, besides being generally suspicious of emails encouraging direct action, is to view the URL that will be opened. This can be done on computers by hovering over the hyperlink with the cursor, and on mobile devices by pressing and holding on a hyperlink. This launches a tooltip that reveals the URL, which would then be opened upon clicking. Even though an email may appear to contain a link to a legitimate site, the actual URL may be completely different.

My name is Matt Reida, and I am pursing an associates degree in Server Administration at Metropolitan Community College. As a very young child, I was enamored with computers, and strived to learn about them constantly. As I grew older, my passion for learning remained, and inspired me to pursue a career in the IT field.

Happy Holidays – Now Click Here . . .

by Guillermo J. Rosas, Faculty, Information Technology, Metropolitan Community College

As faculty, we’re always receiving SPAM email of one sort or another; however, this evening I received an email from “Wallmart” informing me I was the recipient of a generous $3.66 eGift Card for Walmart as part of an “Online DVD Rental Settlement” (Figure 1).

Figure 1

I hope you notice the fact that I surrounded “Wallmart” in quotation marks in my previous paragraph. Let’s take a closer look at this email (Figure 2). Notice how the email is coming from – did you catch that second “L” in the sender’s email domain? It’s interesting because Walmart is spelled with one “L.” The sender includes a Walmart logo at the top of the email – note how the logo is spelled correctly, with one “L.” Although Figure 2 doesn’t point it out, the subject of the email also spells Walmart correctly, with the single “L” – the sender’s domain is the only item that is “misspelled” in this email.

Figure 2

These are red flags. Why would I be receiving an email from Walmart from a sending domain of “”?

Interesting. Let’s not click on anything, though. Microsoft Outlook will display the linked URL when we hover our mouse over a hyperlink. Let’s use this feature to find out a little more about our email.

When I hover my cursor over the button, View My eGift Card, a popup appears (Figure 3). Note the URL that appears in the label that appears  - – doesn’t sound like a Walmart-type website. It also doesn’t sound like a very nice URL to visit.

Figure 3

Let’s hover over the URL at the bottom of the page, the text of which says it will take us to, – that’s sounds legit. Plus I want my $3.66

Placing my mouse over the link shows the linked text will actually take us to — it’s not looking as though I’m going to get my $3.66 any time soon 🙁

Figure 4

Grrrr… I want my $3.66. Let me check that Help Center link at the bottom of the page. I hover my mouse of the text our Help Center and the linked URL appears…. and it also leads to … alas, it doesn’t look like I’m going to get my $3.66 eGift Card… oh the things I could buy with that.

Figure 5

So what do I do now? Panic? That’s usually fun, but it’s not really a good option. The solution to this is simple:

  • Always be skeptical about the links in any email message; don’t just click on a link, even if it comes in an email from a person you know.
  • If you are tempted to click on a link, or if you have to click on a link, examine the link to make sure it’s going to direct you to where it says it’s going to direct you. In this example, the link looks like it’s going to take us to a resource, but when we examine the link, we see we’re actually going to get taken to a resource hosted on a site named
  • If you receive a suspicious email from someone you know (a student, a teacher), call that person or go visit them and ask them if they sent the email. Email can be spoofed and it may look like someone you know is sending an email with a malicious link.
  • If you receive an external email from someone like Walmart (as shown in this article), simple mark the email as Junk/SPAM – this will help your email software’s filters learn what emails are unwanted. In Microsoft Outlook (desktop and webapp), you can mark an email as Junk by right-clicking (CTRL+Click in macOS) and then clicking Junk > Block Sender
Figure 6

With the holidays right around the corner, we’ll probably see more emails like these in our MCC inboxes. Generally, there’s nothing to worry about – criminals cast wide nets hoping to catch a few people. Don’t be one of the few – act smart,  be suspicious, and don’t fall for scams.

Guillermo J. Rosas is a full-time faculty member in the Business and Information Technology Department at Metropolitan Community College (MCC). He has over 18 years of experience in the field of Information Technology. Prior to joining MCC’s faculty, Guillermo worked as a Network Defense technician at the USSTRATCOM Network Operations Center.

Guillermo holds a BS in Information Systems from Bellevue University, and a MBA from Bellevue University. His professional certifications include: A+, Security+, Network+, Linux+, Certified Ethical Hacker, and Certified Information System Security Professional (CISSP).


Phishing Campaigns at MCC

Contributed by Christopher Wagner, Cybersecurity Major

Phishing is just what it sounds like, but with a different spelling.  A fisherman places bait on their hook and hopes that fish will come along and bite it.  The bait in this analogy often takes form of an email, text message, or even a Facebook message and at times they can claim to be friends, relatives, or even the MCC Help Desk.  The fish, being the individual who received the message, is often directed to click on a link or provide credentials (username and/or password).  These emails are made to appear authentic and to trick the user into giving up information.

With the holiday season coming up phishing emails will be on the rise appearing from legitimate companies.  The best way to be able to spot a phishing email is to look for key indicators on where the email is from, what the email is asking you to do, and what incentives there are for opening the email.  In the example below from my own email address, I have a phishing email claiming to be from Amazon about an order and an opportunity to a $50.00 reward as a promotion.

Highlighted in the red boxes are indicators that alert me to this email is in fact a phishing attempt.  Although the email says it is from Amazon, 1st red box, we can tell upon further inspection that it is not from Amazon.  Looking at the email address of the sender and ensuring that it is from the actual website itself and not a suspicious chunk of text is the first red flag.  Going onto the 2nd red box we can see that I’m entitled to a $50.00 reward for my latest activity.  This however is the bait to entice me to clicking the link that will either install malicious software on my computer (malware) or direct me to a website that is designed to appear just as Amazon’s login page looks like and steal my personal information.  Upon hovering over the link with the cursor we can see 3rd red box which is a URL shortener.  Amazon does not use these and being aware of where links are directing the user to is important.  The key part in this is identifying the web address.  Some phishing emails attempt to mask the address as such:  Did you notice the missing M in the link?  By thoroughly reading the website address you can determine if the email is legit.

The main objective of a phishing campaign is to gain personal information by getting unsuspecting users to click on links or provide user credentials, credit card information, or personal information to the attacker.  Phishing emails are designed to entice the user into opening them with the promise of a reward or by creating a sense of urgency such as your password needs updated, or you will not be able to access your MCC account.  By being proactive in looking for indicators in all emails, social media messages, and text message you can help combat phishing and keep your personal information safe from attackers.  Should you receive a phishing email mark it as spam and do not follow the instructions or simply just delete it.

One important note to remember is that the MCC Help Desk will never ask for credentials or provide links for you to reset your password or update your information.  They will simply provide a step by step guide on how to access the Password Station or how to change your password when logged onto campus computers as seen below.  This email is from my personal account at MCC stating that my password will soon expire and contains no links whatsoever, in addition to having the correct MCC Help Desk email address.

Christopher Wagner is a computer enthusiast and enjoys learning about InfoSec.  At age 10 he was given his first computer and that sparked a growing passion in learning how they worked.  In addition, he found an interest in the ever-evolving world of InfoSec.  What started as simple viruses to annoy people to ransomware demanding payment in return for decrypting data.  Learning how to build computers and troubleshoot issues that arose, he was able to start freelancing computer repair.  Most recently, Christopher started attending Metropolitan Community College for Information Assurance and hopes to one day find a career in InfoSec.