September Cybersecurity Advisory Letter

September Cybersecurity Advisory Letter

September 21, 2023

In this issue:

  • Three Scams Targeting College Students
  • Savvy Cybersecurity quick links
  • Cybersecurity shorts
  • Software updates


Welcome to your September Savvy Cybersecurity newsletter. Read on to learn more about:

  • A major cyberattack hits Vegas
  • The long list of software you should update immediately
  • And much more

Three Scams Targeting College Students

Back-to-school season is now in full force. College students have returned to campus ready for a new semester—and so have the scams targeting college students. While many young adults are living on their own for the first time, be sure they are aware of certain scams in this next chapter of life.

  1. Student loan scams

Many students attending college are paying for a portion of their education through student loans. Unfortunately, many scammers take advantage of this fact and prey on students. For example, a student may receive an email from a company offering to reduce their student loan debt for a one-time fee. While there are some legitimate companies that can help with refinancing student loan debt, there are loads of scammers in this space looking to make money.

In addition to student loan relief, there are also scammy scholarship offers. Students must be aware that these exist and be cautious if they receive a call or email from an organization asking for bank account information for a scholarship. 

  1. Employment scams

Scammers also target college students with fake work-from-home jobs. Often these jobs are advertised to have flexible schedules and a great fit for students or stay-at-home moms. Be aware of red flags such as applications that ask for financial information or jobs that require you to use your own money to pay for supplies or gift cards with the promise of being reimbursed.

Students looking for work at school should contact the employment department at the college for assistance in finding a legitimate job.

  1. Student housing/apartment scams

Some students may be pining for their own space outside of a shared dorm room and begin looking for apartments. Unfortunately, there are many scams around apartments for students. Often scammers will use fake pictures to advertise a rental that they do not own. They ask the student for a security deposit and once they have the money, the student shows up to a very different apartment than what was advertised or no apartment at all.

It is important that students vet any off-campus housing by reading reviews and visiting the space before paying any money.

College is an exciting time for young adults. These tips can help ensure students don’t need to deal with scams while on campus.

Cybersecurity shorts

Cyberattack shuts down MGM resorts and properties. The hotel and casino operator, MGM Resorts, shut down numerous computer systems including its website in response to a "cybersecurity issue" this month. This initial shutdown impacted nearly all aspects of the business. This includes booking systems, electronic key card systems, casino floors, and more. MGM Resorts operates thousands of hotel rooms across Las Vegas and the US. This is not their first cybersecurity incident. In 2020 the personal details of more than 10 million MGM visitors were published on a hacking forum. The investigation is ongoing, but you can read more about it here.

China uses AI to create viral propaganda. Chinese state-affiliated hacking groups are becoming more adept at using artificial intelligence to help generate content that is designed to "go viral across social networks" in the US and other democracies the Microsoft Threat Intelligence Center announced this month. Furthermore, part of this activity included social media personas operated by real people who employ fictitious or stolen identities that conceal connections with the Chinese government and share artificially generated content. Read more here.

Voluntary Ed tech pledge created by CISA. The Cybersecurity and Infrastructure Security Agency (CISA) has created a voluntary pledge for K-12 educational tech software providers in hopes of demonstrating commitment to creating better built-in security for their products. This pledge asks companies to, "take ownership of security outcomes and embrace radical transparency and accountability," along with more. However, they will not enforce the voluntary pledge, nor will they follow up on a company's adherence to these commitments.

Nearly 60,000 Microsoft 365 accounts targeted. Researchers have identified high-grade phishing kits that have attacked nearly 60,000 Microsoft 365 accounts. A cybercrime group developed and sold phishing software that has been deployed over the past 10 months in attempts to compromise these accounts. The Group-IB identified as "W3LL" has been active since 2017 and generated at least $500,000 in sales of these toolkits.

Software updates

Adobe: Adobe has released an update fixing a zero-day exploit in Reader and Acrobat software. This security flaw is currently being exploited on both Windows and Macs. Be sure to update this software as soon as possible. You can learn more here.

Apple: This month, Apple released emergency security updates for iOS, iPadOS, macOS, and watchOS that address two zero-day flaws that were exploited to deliver NSO Group's Pegasus mercenary spyware. The issues that are addressed include a validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment and a buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a malicious image.

Google: Chrome users must update their browser to protect their devices from a zero-day bug. To update, close your browser and re-open it.

Microsoft: Microsoft has issued an update for over 50 security issues this month. One of the updates closes yet another zero-day exploit—this time in Microsoft Word. Your devices should prompt you to update automatically. Learn more here.

Mozilla: Not to be left out, Mozilla also released updates for its browsers closing a zero-day exploit. Be sure to update your Firefox, Thunderbird, or Brave browser.