Security information

Dear students, faculty and staff

This is a notice from the Information Systems Division.

　There has been an increase in the number of phishing e-mails sent to you by people trying to defraud you of your account information for commercial Internet services or for the University.
Some of these emails may slip through our email security system and be delivered to you.
Users have reported receiving suspicious e-mails.
If you receive a suspicious e-mail, be careful not to access the URL in the body of the message.
Do not open any attached files.

The sender (From:) is often spoofed and may be the sender's own email address or the administrator's email address (e.g., admin@~).

An example of a subject line: sic.shibaura-it
sic.shibaura-it.ac.jp New Webmail service is now available
mail delivery failure: storage is almost full
ow.shibaura-it.ac.jp mail service update Case ID: ?????
You have [13] pending incoming emails
SYSTEM NOTIFICATION ~ Your 8 unreceived emails are stuck on the sic.shibaura-it.ac.jp Server.
Your ow.shibaura-it.ac.jp Account will be disabled soonest.
Your Outlook storage is full
Verify User
Mail Notice: De-activation
Account Termination
Email Termintaion Request
Undeliverable: Incoming messages failure
Check Password
Email Verification ~ VERIFY YOUR EMAIL ACCOUNT TODAY
～Unknown Login Notification
Password Expiration Notice!
～ Email Notification
Required Action: Email Deactivation Notification for
Required Action: Important Notification for Tuesday, June 27, 2023
Required Action: Important Notification for Monday, June 26, 2023
Required Action: Important Notification for Sunday, June 25, 2023
You have received a new voicemail memo.
Error receiving mail
Notification: Mailbox size has reached quota limit
Sic mailbox size has reached quota limit
Mailbox storage space is low
~ Received Mail Error
Mailbox storage is full, account is suspended

If you receive a suspicious email, please contact SIT-CSIRT.
SIT-CSIRT (Shibaura Institute of Technology Computer Security Incident Response Team)
Email: csirt@shibaura-it.ac.jp

Translated with www.DeepL.com/Translator (free version)

検索サイトから本学に関連するキーワードを検索すると、本学を騙る偽サイトが検索結果に表示されることを確認いたしました。

本件に限らず、最近検索結果に偽サイトが表示されることが散見されます。

偽サイトの中にはアクセスをするとWebブラウザに感染するものや、マルウエアがダウンロードされるものも存在しますので、常に検索結果に不審なものが含まれていないか確認することを心掛けてください。

 また、偽サイトを発見した場合は、SIT-CSIRTまでご報告いただけます様お願いいたします。

SIT-CSIRT
  csirt@shibaura-it.ac.jp

We have confirmed that a fake website impersonating our university appears in the search results when you search for keywords related to our university through search engines.

Not only in this case, but also in other recent cases, fake sites have been appearing in search results.

Some of the fake sites may infect web browsers or download malware when accessed, so please be sure to always check your search results for suspicious items.

If you find a fake site, please report it to SIT-CSIRT.

SIT-CSIRT
csirt@shibaura-it.ac.jp

Example of search results

Examples of Fake Sites

Emotet is malware that is often infected by opening Word files attached to emails.

It was seized and stopped by EUROPOL (European Organization of the Criminal Police) on 1/27/2021, but there are signs of resumption of activity since around 11/14/2021.

The attached files are not only Word and Excel files, but also zip files with passwords.

Emotet malware, which was popular in Japan from the end of August 2019 to January 2020, seems to have temporarily resumed its activities in Japan since July 2020. Please be aware that activities may become more active in the future.

When infected with Emotet, not only is the e-mail information of Outlook (authentication information to the e-mail server, e-mail address of the inbox, subject etc.) stolen, but also other malware (Qbot, TrickBot, Ryuk ransomware, Ursnif banking malware etc.) ) May cause additional infections.

The stolen email information may be used to scatter emails to spread infection.

• Regarding the resumption of email distribution activities that lead to infection with the malware Emotet (JPCERT/CC)

Please note that there are various subject lines for emails, and some may take the form of replies to stolen emails.

If you receive such an email, please do not open it and contact the Center for Science Information.

If you open it and activate the content, immediately disconnect from the network.

Please check if the antivirus software on your device is working properly.

【Attention】
For the emails scattered,there are those that take the form of replying by quoting stolen mail in the body (reply type), and those that embed the stolen name/email address etc. in the subject and signature of the body.
Please be careful.

It has been confirmed that there is no attached file and a link is written in the email body.
Please be careful not to access the link destination as the Word file etc. of the Emotet downloader will be downloaded when you click the link.

！！！Do not run macros in Word files with macros (do not press enable content)！！！

【Information about Emotet】

• Alert regarding malware Emotet infection (JPCERT/CC)
• About emails targeted for infection by a virus called "Emotet"(IPA)

Sender

(People who have exchanged in the past)

Example of subject

Request to send invoice (number etc.)
This is the invoice. (Numbers, etc.)
Re: (Subject of previously received email)

Example of attachment file name

(Alphabet and numbers) Please send invoice. doc
(Alphabet or number) This is the invoice. .doc
(Alphabets and numbers) Notification of payment amount and issuance of invoice.doc

Dear Faculty and Staff

This is a notice from the Information Network Service Section.

During the year-end and New Year holidays, security incidents are more likely to occur due to the lack of system management.
As the volume of e-mails checked will increase, please be especially careful of suspicious e-mails after the holidays, 

In recent years, A number of cyber-attacks confirmed by fake e-mails sent to Japanese academics, think tank researchers, and the press, pretending to be requests for lectures or interviews, etc., and leading to be compromised by executing malware, then attempt to steal the contents of emails and computer files exchanged by these individuals.

For details, please refer to the information provided by the National Police Agency's Cybercrime Countermeasures Project.
 ( https://www.npa.go.jp/cyber/ )

Our university introduced an e-mail targeted attack countermeasure system for full-time faculty and administrative staff.
Suspicious e-mails are automatically quarantined and a notification e-mail is sent at 15:00 daily, 
so please make sure to check the contents.
 https://web.sic.shibaura-it.ac.jp/email_security

If you receive a suspicious email, please contact SIT-CSIRT.
SIT-CSIRT (Shibaura Institute of Technology Computer Security Incident Response Team)
Email: csirt@shibaura-it.ac.jp

Dear Students, Faculty and Staff

Warning from the Information Network Service Division

We have received many reports of suspicious Emotet malware email from several people today.
We announced this on November 25 last year, but we would like to ask you to check again.
Please also check the security information on the Center for Science Information website.

1. Warning against phishing e-mails

　Recently, there have been many cases of phishing e-mails aimed at fraudulently obtaining account information for webmail services.
We have also received reports of suspicious emails from users of our university.
If you receive a suspicious email, please be careful not to access the URL in the text.
If you receive a suspicious e-mail, please do not access the URL in the text, and do not open any attachments.

Please check the security information on the Center For Science Information website.

Example of subject line:
メールプラン、セキュリティ強化第2弾リリースのお知らせ
【重要】2021年XX月XX日（X）のサービス復旧のお知らせ。
【重要】使用制限によるサービス停止のお知らせ- {メールアドレス}
【重要】サービス停止のお知らせ - {メールアドレス}
【お知らせ】メール配信通知 - {メールアドレス}
[メール接続サービスの終了について_shibaura-it.ac.jp] - {メールアドレス}
[からの通知_Shibaura-it]_{メールアドレス}
【バージョンアップ】メンテナンス作業のお知らせ
【重要】sic.shibaura-it.ac.jp メール送信機能停止のお知らせ

If you receive a suspicious email, please contact SIT-CSIRT.
SIT-CSIRT (Shibaura Institute of Technology Computer Security Incident Response Team)
Email: csirt@shibaura-it.ac.jp

2. Warning about Emotet malware email
The Emotet malware was seized and stopped by EUROPOL (European Criminal Police Organization) on January 27, 2021.
However, it has tended to resume its activities since around November 14, 2021.
It seems that emails targeting Japan are also being sent.

For more information about the Emotet malware, please check the security information on the Center For Science Information website.

If you receive a suspicious email, please contact SIT-CSIRT.
SIT-CSIRT (Shibaura Institute of Technology Computer Security Incident Response Team)

Email: csirt@shibaura-it.ac.jp 3.

3. Warning about attacks on the CMS of web servers
If you are running a web server in your laboratory and using CMS (WordPress, Movable Type, etc.)
Please check for suspicious access.
In Japan, there have been cases of illegal content being embedded, phishing e-mails being sent out in large numbers, and unauthorized server intrusions.
Please take measures such as managing passwords for the web servers you use, updating vulnerable software, and stopping unnecessary services.

If you find any suspicious access, please contact SIT-CSIRT.
SIT-CSIRT (Shibaura Institute of Technology Computer Security Incident Response Team)

Email: csirt@shibaura-it.ac.jp

There have been reports of suspicious e-mails being sent from your own e-mail address.

The sender's email address may have been spoofed to match that of the recipient.

Reference Information(Japanese):

• JC3 - 暗号資産（ビットコイン）を要求する脅迫メールに注意

There are many different subject lines, as shown below. (Japanese)

• デバイスがハッキングされました
  (Your device has been hacked.)
• You have an outstanding payment.
• 申し訳ありませんが
  (I'm sorry, sir.)
• アカウントからのお支払い。未払いがあります
  (Payment from your account. You have an outstanding debt.)
• You have outstanding debt.
• こんにちは〜！
  (Hello~!)
• 幸運を祈ります!
  (Good luck!)
• お支払いを待っています
  (I'm waiting for your payment.)
• メールを確認してください！
  (Please check your email!)
• トランザクションを終了します。
  (Close the transaction.)
• 口座からのお支払い
  (Payment from your account)
• メールをご確認ください！
  (Please check your email!)

These are threatening or fraudulent emails. If you receive such an email, please discard it.

Example 1(Japanese):

それが起こったのです。ゼロクリックの脆弱性と特別なコードを使用して、Webサイトを介してあなたのデバイスをハッキングしました。私の正確なスキルを必要とする複雑なソフトウェア。このエクスプロイトは、特別に作成された一意のコードを使用してチェーンで機能し、このようなタイプの攻撃は検出されません。Webサイトにアクセスしただけで感染してしまいましたが、残念なことに、私にとっては非常に容易いことです。あなたは標的にされたのではなく、そのWebページを介してハッキングされた多くの不運な人々の一人になったのです。これはすべて8月に起こりました。そのため、情報収集には十分な時間がありました。次に何が起こるかはもうご存知だと思います。数ヶ月間、私のソフトウェアは、あなたの習慣、あなたが訪問するウェブサイト、ウェブ検索、あなたが送るテキストなどの情報を静かに収集していました。他にもまだまだありますが、これがどれほど深刻であるかを理解していただくために、いくつかの理由を挙げました。
(以下省略)

 

That's what happened. Using a zero-click vulnerability and special code, I hacked your device through a website. Complex software that requires my exact skills. This exploit works in a chain using a specially created unique code and this type of attack is undetectable. just visiting the website infected me, unfortunately it is very easy for me. You were not targeted, but became one of the many unlucky people who were hacked through that web page. This all happened in August. Therefore, there was plenty of time to gather information. I think you already know what will happen next. For months, my software has been quietly collecting information about your habits, websites you visit, web searches, texts you send, and so on. There are many more, but I have listed a few reasons to help you understand just how serious this is.
(Omitted below)

Example 2(Japanese):

それが起こったのです。ゼロクリックの脆弱性と特別なコードを使用して、Webサイトを介してあなたのデバイスをハッキングしました。 私の正確なスキルを必要とする複雑なソフトウェア。 このエクスプロイトは、特別に作成された一意のコードを使用してチェーンで機能し、このようなタイプの攻撃は検出されません。 Webサイトにアクセスしただけで感染してしまいましたが、残念なことに、私にとっては非常に容易いことです。 あなたは標的にされたのではなく、そのWebページを介してハッキングされた多くの不運な人々の一人になったのです。 これはすべて8月に起こりました。そのため、情報収集には十分な時間がありました。 次に何が起こるかはもうご存知だと思います。 数ヶ月間、私のソフトウェアは、あなたの習慣、あなたが訪問するウェブサイト、ウェブ検索、あなたが送るテキストなどの情報を静かに収集していました。 他にもまだまだありますが、これがどれほど深刻であるかを理解していただくために、いくつかの理由を挙げました。 明確に言うと、私のソフトウェアはあなたのカメラとマイクも制御しました。
(以下省略)

 

That's what happened. Using a zero-click vulnerability and special code, I hacked your device through a website. Complex software that requires my exact skills. This exploit works in a chain using a specially created unique code and this type of attack is undetectable. I got infected just by visiting a web site, unfortunately, it is very easy for me. You were not targeted, but became one of the many unlucky people who were hacked through that web page. This all happened in August. Therefore, there was plenty of time to gather information. I think you already know what will happen next. For months, my software has been quietly collecting information about your habits, websites you visit, web searches, texts you send, and so on. There are many more, but I have listed a few reasons to help you understand how serious this is. To be clear, my software also took control of your camera and microphone.
(Omitted below)

例3:

"Let's resolve it like this: All you need is $1750 USD transfer to my account (bitcoin equivalent based on exchange rate during your transfer), and after the transaction is successful, I will proceed to delete all that kinky stuff without delay. Afterwards, we can pretend that we have never met before. In addition, I assure you that all the harmful software will be deleted from all your devices. Be sure, I keep my promises." I think that about sums it up.

Dear Students, Faculty and Staff

Warning from the Information Network Service Division

We would like to inform you that we have received three reminders from the Cyber Security Division of the Ministry of Education, Culture, Sports, Science and Technology.

1. Warning against phishing e-mails

　Recently, there have been many cases of phishing e-mails aimed at fraudulently obtaining account information for webmail services.
We have also received reports of suspicious emails from users of our university.
If you receive a suspicious email, please be careful not to access the URL in the text.
If you receive a suspicious e-mail, please do not access the URL in the text, and do not open any attachments.

Please check the security information on the Center For Science Information website.

Example of subject line:
メールプラン、セキュリティ強化第2弾リリースのお知らせ
【重要】2021年XX月XX日（X）のサービス復旧のお知らせ。
【重要】使用制限によるサービス停止のお知らせ- {メールアドレス}
【重要】サービス停止のお知らせ - {メールアドレス}
【お知らせ】メール配信通知 - {メールアドレス}
[メール接続サービスの終了について_shibaura-it.ac.jp] - {メールアドレス}
[からの通知_Shibaura-it]_{メールアドレス}
【バージョンアップ】メンテナンス作業のお知らせ

【重要】sic.shibaura-it.ac.jp メール送信機能停止のお知らせ

If you receive a suspicious email, please contact SIT-CSIRT.
SIT-CSIRT (Shibaura Institute of Technology Computer Security Incident Response Team)
Email: csirt@shibaura-it.ac.jp

2. Warning about Emotet malware email
The Emotet malware was seized and stopped by EUROPOL (European Criminal Police Organization) on January 27, 2021.
However, it has tended to resume its activities since around November 16, 2021.
It seems that emails targeting Japan are also being sent.

For more information about the Emotet malware, please check the security information on the Center For Science Information website.

If you receive a suspicious email, please contact SIT-CSIRT.
SIT-CSIRT (Shibaura Institute of Technology Computer Security Incident Response Team)

Email: csirt@shibaura-it.ac.jp 3.


3. Warning about attacks on the CMS of web servers
If you are running a web server in your laboratory and using CMS (WordPress, Movable Type, etc.)
Please check for suspicious access.
At other universities, there have been cases of illegal content being embedded, phishing e-mails being sent out in large numbers, and unauthorized server intrusions.
Please take measures such as managing passwords for the web servers you use, updating vulnerable software, and stopping unnecessary services.

If you find any suspicious access, please contact SIT-CSIRT.
SIT-CSIRT (Shibaura Institute of Technology Computer Security Incident Response Team)

Email: csirt@shibaura-it.ac.jp

If your laboratory operates a web server and uses a CMS (WordPress, Movable Type, etc.), please check for suspicious access.

In Japan, incidents such as the embedding of malicious content, mass transmission of phishing e-mails, and unauthorized intrusion into servers have occurred.

Please take measures such as managing passwords for the web server you are using, updating vulnerable software, and stopping unnecessary services.

WordPress Vulnerability Information

https://jvndb.jvn.jp/search/index.php?mode=_vulnerability_search_IA_VulnSearch&lang=en&keyword=wordpress

Movable Type Vulnerability Information

https://jvndb.jvn.jp/search/index.php?mode=_vulnerability_search_IA_VulnSearch&lang=en&keyword=Movable+Type

不審なアクセスを発見した場合は、SIT-CSIRTに連絡してください。
SIT-CSIRT (Shibaura Institute of Technology Computer Security Incident Response Team)
Email: csirt@shibaura-it.ac.jp
 

Recently, phishing e-mails posing as e-mail systems have been sent to many organizations.

Subject Example: 

• Announcement of the second release of the mail plan and security enhancements
• [Important] Notice of Service Restoration for XX/XX/XXXX(X), 2021.
• Important] Notice of Service Suspension due to Usage Restrictions - {email address}
• [Important] Notice of service suspension - {email address}
• [Important] Notice of Termination of Email Delivery - {email address}
• [Important] Notice of Termination of Email Connection Service_shibaura-it.ac.jp] - {email address}
• [Notice] [Notice from _shibaura-it] _{email address}
• [Upgrade] Notice of maintenance work

The following screen is not the login screen for the system used by the university.

Never enter your email address or password.

Please contact the Information System Division if you have inadvertently typed something.

We have received a report that phishing e-mails are being sent to several e-mail addresses of the University of Tokyo at around 8:33 a.m. on September 29, 2021, falsely claiming to be notices of maintenance work on the Webmail system.

If you enter your user name and password into this site, your credentials may be exploited and unauthorized access may be gained.

If you have inadvertently entered your username and password, please change your password and contact the Information System Division.

If you have inadvertently entered your username and password, please change your password and contact the Information System Division.

・Example subject line(Japanese)

・Example of main text(Japanese)

・Example of a phishing site screen

We have received several inquiries like this.

"When browsing internet sites, screens such as "Access to this PC is blocked for security reasons" or "Windows was blocked due to suspicious activity" are displayed with alarm sounds."

Both will prompt you to call a phone number starting with 050, and when you call, you will be instructed to install remote control software or go to a convenience store to buy a prepaid card.
This is a support scam.

Virus infection warning and support phone number displayed
https://www.keishicho.metro.tokyo.jp/sodan/nettrouble/jirei/warning_screen.html

Click here for how to close the fake warning screen.
Microsoft :
https://news.microsoft.com/ja-jp/2021/01/29/210129-information/

If the display does not stop even after closing the browser, please contact SIT Center for Science Information.
How to contact us :
https://web.sic.shibaura-it.ac.jp/otoiawase?lang=en

We've received calls that suspicious emails with attachments were sent to SIT email addresses from 2020/07/08 1:55.

This attached file make your computer infected to ransomwarewhen you open the file.

When you receive this email, please delete the email WITHOUT open/download attached file.

When you inadvertently open the attached file, please call Center for Science Information!

Examples of Subject

• I like this photo
• I love this photo!
• Is this you?
• Is this your photo?
• Look at this photo!
• My favourite photo!
• Photo just for you
• You like this photo?
• You look good here
• Your new photo?

Examples of attatched file name
IMG[Numbers].jpg.js.zip

2020/04/21 From around 11:47, there were reports that the phishing emails of the Webmail-like system were distributed to multiple email addresses of our university.

If you enter your user name and password on this site, your authentication information may be exploited, which may lead to unauthorized access.

If you receive this email, please delete it without accessing the link.

If you accidentally enter your user name and password, please change your password and contact the Information Systems Division.

• Title

• Text example 1

• Phishing site screen

2020/04/19 From around 02:26 to around 02:30, and from around 04:04 to around 04:09, phishing e-mails disguised as the University's WebActive! Mail were scattered to multiple e-mail addresses. Was reported.

When you access the link in the body of the email, you will see a website that looks just like the University's Webmail system.

If you enter your user name and password on this site, your authentication information may be exploited, which may lead to unauthorized access.

If you receive this email, please delete it without accessing the link.

If you accidentally enter your user name and password, please change your password and contact the Information Systems Division.

• Title

• Text example 1

• Text example 2

• Phishing site screen

2020/04/15 From around 12:06, there were reports that phishing e-mails, which seem to be web mails, were distributed to multiple e-mail addresses of our university.

If you enter your user name and password on this site, your authentication information may be exploited, which may lead to unauthorized access.

If you receive this email, please delete it without accessing the link.

If you accidentally enter your user name and password, please change your password and contact the Information Systems Division.

• Title

• Text example

From around 2020/02/11 12:08, there were reports that phishing emails spoofing the University's WebActive! Mail were being scattered to multiple university email addresses.

When you access the link in the body of the e-mail, a site similar to the university's Web mail system will be displayed.

If you enter your username and password on this site, your credentials will be exploited and unauthorized access may be possible.

If you receive this email, please delete it without accessing the link.

If you accidentally enter your user name and password, change the password and contact the Information System Section.

• Subject

• Example text

• Phishing site screen

Around 8:30 2020/02/08 and around 12:31 2020/02/11 there have been reports that suspicious e-mails with emoticons in the subject and body have been scattered to multiple e-mail addresses of the University. did.

When the attached file is opened, it is infected with ransomware (NEMTY), the data is encrypted and a ransom is required.

If you receive this email, please delete the attachment without opening it.

If you accidentally get infected and your data is encrypted, please contact the Information Systems Section.

• Subject example
  :)
  ;)
  :-)
  ;-)
  :-D
  :D
  8-)
  8-D
  :*
  :-*

• Attachment file name
  PIC_Numbers_2020.zip
  IMGNumbers_jpg.zip

• Message displayed when infected with NEMTY ransomware

Report that phishing e-mails spoofing the University's WebActive! Mail are distributed to multiple e-mail addresses of the University around 2020/01/30 23:47 and 01/31 01: 20-02: 28 had.

When you access the link in the body of the e-mail, a site similar to the university's Web mail system will be displayed.

If you enter your username and password on this site, your credentials will be exploited and unauthorized access may be possible.

If you receive this email, please delete it without accessing the link.

If you accidentally enter your user name and password, change the password and contact the Information System Section.

• Subject

• Example text

• フィッシングサイトの画像

Since the end of August 2019, Emotet Malware has been in fashion in Japan. Emotet is malware that is often infected by opening Word files attached to e-mails.

If you get infected with Emotet, you will not only steal Outlook email information (email server authentication information, inbox email address, subject, etc.) but also to other malware (TrickBot, Ryuk ransomware, Ursnif banking malware, etc.) Additional infection may occur.

The stolen email information may be used to disseminate emails for spreading infection.

• Emotet and TrickBot information (Sophos)

Please note that the subject line of emails varies and some of them take the form of replies to stolen emails.

If you receive such an email, please do not open it and contact the Information Systems Division.

If you open it and activate the content, disconnect from the network immediately.

Please make sure that the anti-virus software on your device is operating correctly.

• Attached file example

件名の例

Around 2020/01/10 19: 40-19: 53, there were reports that phishing emails spoofing the University's WebActive! Mail were being distributed to multiple email addresses of the University.

When you access the link in the body of the e-mail, a site similar to the university's Web mail system will be displayed.

If you enter your username and password on this site, your credentials will be exploited and unauthorized access may be possible.

If you receive this email, please delete it without accessing the link.

If you accidentally enter your user name and password, change the password and contact the Information System Section.

• Subject

• Text

• Phishing site image