Weekly podcast: SLC, MacEwan University and the return of the Shadow Brokers

This week we discuss a phishing scam affecting students, a Canadian university’s loss of C$11.8 million, and an increase in data dumps from the Shadow Brokers.

Hello and welcome to the IT Governance podcast for Friday, 8 September 2017. Here are this week’s stories.

Action Fraud – the National Fraud and Cyber Crime Reporting Centre – has warned students of a new phishing scam purporting to be from the Student Loans Company (SLC).

In the run-up to the new academic year, students are being sent emails telling them their SLC accounts have been suspended because of inaccuracy or incomplete information. They are then directed to a fraudulent website masquerading as the SLC, where their personal information, including bank details, is harvested. According to Action Fraud, the scam is targeting new and current university students, including those who have never applied for student finance.

Paul Mason, the SLC’s executive director of repayments and counter fraud, said: “We will never request a student’s personal or banking details by email or text message. Anyone who receives a scam email about student finance should send it to us at phishing@slc.co.uk in addition to reporting it to Action Fraud, as this allows us to close the site down and stop students from being caught out.

“We want to remind students to stay vigilant with the details they provide online and to be mindful of the personal information about themselves they post online and on social media too.”

It’s not just students that need to beware of phishing. MacEwan University in Edmonton, Alberta has been defrauded of a total of C$11.8 million (£7.5 million) after fraudsters impersonated one of the university’s suppliers and persuaded university staff to make three transfers to the wrong bank account.

The fraud was only discovered when the real supplier, thought to be a construction company, complained that it had not been paid. $11.4 million of the $11.8 million has since been traced to bank accounts in Montreal and Hong Kong, and the university is confident that it will be able to recover the funds.

David Beharry, a spokesperson for the university, blamed human error, saying the phishing emails looked legitimate. “A domain site with the authentic logo was sent,” he said. “The individual asked us to change banking information from the vendor. That information was changed.”

Now, do you remember the Shadow Brokers? Of course you do. They released the NSA cyber weapons that ultimately led to the likes of WannaCry and NotPetya spreading around the world. In May, having so far failed to monetise their malfeasance, the group offered – in a characteristically rambling post on Steemit – a monthly dump of new Equation Group exploits to subscribers. “Is being like wine of month club,” they said. “Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.” According to Motherboard, this model has been more lucrative – subscriptions have netted the group about $90,000 a month.

This week, a new Shadow Brokers post appeared on Steemit, offering subscribers two dumps per month. According to ZDNet, the September dump includes a manual for the NSA’s UNITEDRAKE – modular malware that remotely targets Microsoft Windows machines and is able to compromise “Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012”.

UNITEDRAKE’s existence first came to light in 2014 in documents leaked by Edward Snowden. It has a number of modules, including CAPTIVATEDAUDIENCE, which can record conversations via a compromised machine’s microphone, GUMFISH, which can hijack webcams, GROK, which can capture keystrokes, and FOGGYBOTTOM, which exfiltrates data.

Fair to say, then, that it’s only a matter of time before it starts spreading.

Today’s lesson: be careful what you click on. It might not be what it seems.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.