IMPORTANT FOR ALL MEMBERS TO READ RE: W2's

We were alerted to the email below. Please read carefully and share with your units. W2 Forms in our district will NOT be distributed electronically so any such email should be ignored.

Thank you.

Mara
NEW YORK STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES CYBER-THREAT ALERT
 
DATE ISSUED: January 23, 2016
                        January 25, 2016 UPDATED
 
SUBJECT: Active Email Phishing Threat
 
OVERVIEW:
The NYS ITS CSOC has been notified of an active phishing email threat targeting government agencies. We have received reports of a well-crafted phishing email circulating in the past two weeks at several US universities and in neighboring states.  The email notifies employees that their electronic W2s are available and encourages them to click to login and view/print their W2s.  The link takes them to a landing page which has been made to look like the organization’s Human Resources site.  Those who fall victim to the phishing email may have their personal information compromised, including login, password, tax information, bank account information, personal contact information and benefit information.
 
Two sample emails are provided below.  Please note that there are several variants. 
 
ORIGINAL INDICATORS OF COMPROMISE:

• “Click Here” redirects to a URL in the domain hxxp://www.kaizenkz.org
•  IP address resolution for the link currently resolves to 89.253.252.114

January 25, 2016 UPDATED INDICATORS OF COMPROMISE:
·         Email was sent from email domain email.ufrb.edu.br
·         IP address resolution for the email domain resolves to 200.128.85.35
·         The link in the email sent from the email domain redirects to a URL in the domainhxxp://xxx.flirtingvision.co.nz  (this domain is still active)
 RECOMMENDATIONS:

• Block indicators of compromise provided above and review logs for activity.  Note this task has been completed for ITS hosted agencies.
• DO NOT reply to email with any personal information or passwords. If you have reason to believe that the request is real, call the institution or company directly.
• DO NOT click a link in an unsolicited email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser.
• DO NOT use the same password for your work account, bank, Facebook, etc. In the event you do fall victim to a phishing attempt the thieves will try the compromised password in as many places as they can.
• DO change ALL of your passwords if you suspect any account you have access to may be compromised.
• DO be equally cautious when reading email on your phone. It may be easier to miss telltale signs of phishing attempts when reading the email on a smaller screen.
• If you have received this phishing email, do not open the message. Please forward it "as an attachment" to csoc@its.ny.gov and then and DELETE it from your Inbox.

 
If you have any questions or concerns please direct your inquiries to csoc@its.ny.gov  or by phone at 242-5211. 
 
Cyber Security Operations Center
NYS Enterprise Information Security Office
 
Office of Information Technology Services (ITS)
1220 Washington Avenue, Building 5 – 1st Floor
Albany, New York  12226
Main Phone: 518-242-5211 | csoc@its.ny.gov
Website: http://www.its.ny.gov/eiso