January 2008

A bogus, "phishing" email message purporting to be from the NYU F.C.U. (NYU Credit Union) is being sent to NYU community members. "Phishing" is a malicious use of email by an outside group pretending to represent an official organization (often a bank or credit card company) in an attempt to obtain important personal and financial data.

If you happen to receive this phishing message, forward it to is.spam@nyu.edu and then delete it. Do not respond to it, click on any links in the body of the message or provide any requested financial information. You should also notify your NYU colleagues of this phishing scam.

The following are tell-tale signs that this was a phishing scam:

• New York University Federal Credit Union will never ask members to call any number or visit any website for security reasons. Anyone who receives an e-mail that purports to be from New York University Federal Credit Union and asks for any information or action by the member should consider it to be a fraudulent attempt to obtain their personal account data for an illegal purpose and should not follow the instructions in the e-mail.
• The link in the message does not point to the domain the message supposedly came from, or any legitimate domain associated with the NYU Federal Credit Union.

If you or another NYU member may have clicked on the link and provided personal information, contact TSS immediately at security@nyu.edu. Alternatively, you may contact ITS Client Services at 212-998-3333.

If you believe your financial information may have been compromised as a result of this phishing attack, you can also contact the NYU Federal Credit Union at: http://www.nyufcu.com/asp/contact.asp

Text of Bogus NYU F.C.U. Phishing Email Follows here:

Dear NYU F.C.U. Customer,

Due to our last days online problems, many phishing attempts and identity-theft, we need to verify our members accounts information. This security method is intended to help you protect yourself and your accounts from internet fraud.

We are sorry for any inconvenience caused by our online servers, but we require you to update your profile as soon as possible by clicking on the following link:

Click here to activate your account

By completing our online form your are in accordance with our Terms of Agreement and your online access will be continued as normal. Thank you for taking your time!

Please do not reply to this notification email as it will not be reviewed. Copyright NYU F.C.U., 2007

Posted by Jill Hochberg at 02:09 PM | Permalink

If you are using the newer 'nyu' wireless network for accessing NYURoam, you will be -- or, perhaps, very recently were -- presented with a dialog box asking you to validate a new server certificate. Simply accept the new certificate and log on as usual. No further action is necessary, and you will not need to validate the certificate again until 2009.

Windows compatibility issues resolved! Difficulties experienced Wednesday, Jan. 23 by people trying to connect via "nyu" from Windows computers have been resolved. If you were trying to access NYURoam via "nyu" over the past few days and were experiencing difficulties, you can now resume using "nyu". (No difficulties were encountered with connections from Macintosh computers.)

For more about 'nyu' and NYURoam, see http://www.nyu.edu/its/wireless/configure/.

Posted by Jill Hochberg at 12:42 PM | Permalink

ITS Technology Security Services has received widespread reports about a phishing scam targeted at NYU community members using the NYUFCU (Credit Union) domain. The from address on the email was spoofed using that domain which may make it appear legitimate , but it also contains a few classic phishing characteristics such as:

1. New York University Federal Credit Union will never ask members to call any number or visit any website for security reasons. Anyone who receives an e-mail that purports to be from New York University Federal Credit Union and asks for any information or action by the member should consider it to be a fraudulent attempt to obtain their personal account data for an illegal purpose and should not follow the instructions in the e-mail.
2. The link in the message does not point to the domain the message supposedly came from, or any legitimate domain associated with the NYU Federal Credit Union.
3. The message contains many spelling and grammar errors.
4. The message implies urgency: "update your profile as soon as possible" and "your access will be continued as normal". Phishing attacks try to convince victims of the urgency of the "problem" in order to steal as much personal information as possible prior to ISPs bringing down the phishing websites.

DO NOT click on any link in that message. At this time, the best thing to do is to:

1. Forward the spam message to is.spam@nyu.edu
2. Delete the message
3. Inform your coworkers of the phishing scam

In the event you or another NYU member may have clicked on the link and provided personal information, contact TSS immediately at security@nyu.edu.

If you believe your financial information may have been compromised as a result of this phishing attack, you can also contact the NYU Federal Credit Union at:

http://www.nyufcu.com/asp/contact.asp

To find out more information about these types of phishing attacks and how to report them, visit:

Federal Internet Crime Complaint Center

Posted by Christopher Penido at 12:08 PM | Permalink