Category: Cybersecurity Alerts

Because it is tax season, cybercriminals are increasing their use of Internal Revenue Service (IRS) themed scams.

These scams can include well-crafted phishing emails, text messages and phone calls. Cybercriminals are also using AI to create deepfakes, making their scam pitches even more believable. Other tactics include using social media to post fake content about false information, such as “secret refunds”.

As with most of these scams, their goal is to obtain personal information from you to use in their attack. Or they may try to solicit funds directly from you.

Please be aware that the IRS will never contact taxpayers directly by email, text messages or phone calls. Instead, they will contact you by letter sent through the U.S. Postal Service.

There has been an increase in cybercriminals using the Browser in the Browser (BitB) trick to steal login and password information. This trick has become more common on social media platforms such as Facebook and Instagram, but it can be used in any environment that uses a login page.

The BitB trick uses hidden code to create a fake pop-up looking window in your browser with a login prompt. Because the fake pop-up is entirely generated, it can include a convincing-looking address bar at the top that displays correct domain names. This trick can easily fool users who are looking at the URL before entering their credentials. For example, the BitB trick could be showing what looks like a pop-up window for a Google login and include the correct google.com address as well as all of the correct graphics and formatting. After entering your credentials, the user may even be redirected and logged into the official website. But through this process, the cybercriminal also collected and saved the user’s login and password information, which they can use themselves later. Most login pages are static single pages and do not typically have their login screen in a pop-up window. One of the best ways to spot this BitB trick is that the pop-up window cannot be moved outside of the original main browser window.

Ways to Avoid the BitB trick:

• For logging into any account, don’t trust a button, page link or email link.
  Instead, navigate to the site’s official website URL in a separate browser tab to login.
  
  
• If you are prompted to enter credentials into a login pop-up window, first check to see if the pop-up window can move outside of the browser window. Essential for the BitB trick, are iframes, which are connected to the underlying browser window and cannot be pulled outside it.
  
  
• It is also recommended to use Two Factor Authentication on any account, when available, to give you an extra layer of protection.

Have you ever searched for something on the internet using your favorite browser search engine and gotten results that are completely wrong? For example, you search for your specific car insurance company’s official website. However, the top results you see may list the name of your car company, but the website URL is not your company’s official website.

These types of results can be caused by Search Engine Optimization (SEO) Poisoning. In this type of attack, cybercriminals employ various methods to manipulate search engine results, attempting to redirect traffic to their malicious websites. On these fake websites, users may be prompted to enter their personal account credentials, which the attackers will steal, or the fake sites may include malware that is unknowingly downloaded to the user’s computer.

To avoid SEO Poisoning:

• Always visually verify links before clicking. Examine the URL carefully. Look for name misspellings or letter substitutions in the domain name. Double-check that the domain extension (.com, .edu, .gov, etc.) is correct.
  
  
• Be skeptical of the top results. Many of the first results are often “sponsored” results, meaning that they are paid to be listed first, regardless of your actual search results.
  
  
• Go directly to official websites. If you know the URL of the actual website you want, such as Amazon, then type “amazon.com” directly into the browser address bar, rather than searching for “Amazon”.

Artificial Intelligence (AI) continues to grow in popularity as a tool that can help users do all sorts of things. Unfortunately, cybercriminals understand that and are also using AI for their scams.

One of the common ways that people use AI is to have it summarize content, such as an email, a large document or a spreadsheet. But cybercriminals are taking advantage of that AI usage by embedding hidden and malicious AI instructions in files that are unseen by the user.

For example, a user could receive a lengthy email, and they use AI to summarize the message. But embedded in the email could be a hidden, malicious AI prompt that could force your AI program to search for and read other sensitive emails and documents, which could then be sent to the attacker.

Even documents like an Excel spreadsheet that you ask AI to summarize could contain hidden white text on a white background across multiple sheets, which contain AI task modifications and commands that could hijack your AI’s processes and behavior.

To help avoid falling for this type of scam, users should not open files from people that they do not know, nor open a file that they are not expecting. Also, you should carefully consider what content you have AI summarize or process for you, as well as monitor any AI outputs very closely.

Clemson University users are experiencing an increase in a SharePoint-related cyberattack, like the email pictured below. In this scheme, cybercriminals have likely already compromised a legitimate user and are using the account’s SharePoint site to send a document share email to other users. Sharing files through this method can sometimes circumvent security tools, which could possibly detect these malicious files.

The shared file could be a Word document, a PDF or a similar type of file. The file can contain malware that would infect your computer if you opened it, or it may ask you to log in with your Clemson credentials before you can see the file. This would allow them to steal your login and password information.

To avoid this scam, you should do the following:

• Always use extra caution before opening any file sent to you, especially if you do not know the sender or if you are not expecting a file.
  
  
• Avoid opening an email attachment file if you see the External Sender banner on any email. Those emails are coming from someone outside of Clemson.
  
  
• Before logging in with your Clemson credentials, you should first verify that the URL has “clemson.edu” as the domain address.
  
  
• If you do receive an email that you are unsure about, please use the Report Phishing button in Outlook, and the CCIT Security Team will be happy to investigate it for you to determine if it is legitimate and safe to open.
  
  

To enhance digital security, Clemson Computing and Information Technology (CCIT) is enforcing password expiration for approximately 30,000 Clemson University accounts to help protect data and personal information. While this change will not impact all Clemson users, those who are impacted will receive instructions for the expiration and creation of a new password for their Clemson account. This effort is to strengthen security for accounts that were identified with vulnerable passwords. In the age of artificial intelligence and high performance computing, strong passwords are some of our best defenses against threats or bad actors. 

What to expect

• CCIT engineers will prompt password expiration for specific accounts on the morning of July 31, 2025. 
• The identified users will be emailed more detailed information about what to expect. 
• Users are required to create passwords that meet the new security requirements. 

If you need assistance during the password change process, please contact the CCIT Support Center. Those who are not identified in this round of expiration are also welcome to strengthen their passwords to the more secure passphrase format at any time. 

Clemson University faculty, staff and students using Microsoft Outlook for email can now use the generic Report button to report phishing or junk emails. Reporting an email through this method will still send your email to the Clemson Security Operations Center (CSOC) for review and investigation. The Security Shield Report button has been removed from Outlook to help streamline this process.

But if you need to provide additional information beyond just reporting an email, use the Report Phishing Service through the TigerHub system.

Please contact the CCIT Support Center if you have any questions.

Cybercriminals are leveraging the high interest in artificial intelligence (AI) tools as part of new targeted campaigns. These often appear as “free” AI tools or in false advertisements that link to sites impersonating an official AI site.

If downloaded, the fake AI tool will include a ransomware executable, which will encrypt files and demand payment to unlock the user’s content.

Here are some tips to help avoid falling for this scam:

• Only download from official websites. Always examine the URL carefully.
• Be suspicious of “free” tools or offers that seem too good to be true.
• Research a company or product first before downloading anything.
• Scan files with security tools before opening them.

If you need assistance with downloading AI tools, please contact your Clemson University IT Consultant.

Proofpoint has recently discovered a new attack vector that cybercriminals are using to compromise users’ computers. In this scheme, users are prompted with a notification pop-up on a webpage, in a Word document or when opening a PDF file, saying that there is a problem. And the notification will include a button saying something like “How to Fix” or “Auto-Fix”.

The fake instructions for how to “fix” the problem will typically ask the user to copy and paste some code into Windows PowerShell or the Run dialog box. Because this code is only being copied and pasted, most antivirus software will not have an opportunity to inspect and catch the malicious code. Once this code is run by the victim on their computer, it triggers the download of additional malware and other nefarious activities.

Clemson University users should exercise caution if presented with this error, and it is recommended to reach out to the area’s IT Consultant for assistance.

For additional details, please see the full article on the Proofpoint website.

A new vulnerability in Apple’s AirPlay has been uncovered by Oligo Security Research that could potentially allow bad actors to compromise devices such as your Mac laptop, AirPlay speakers and receivers, or even the CarPlay system in your automobile.

Because of this vulnerability, users could experience a denial of service, loss of sensitive information, or possibly distractions while driving in the form of unwanted sounds or images being displayed on your automobile console.

To help protect yourself against this vulnerability:

• Update any device that supports AirPlay to the latest version of the software available.
• Verify on your AirPlay device that the setting “Allow AirPlay for” is set to just “Current User.”
• Disable the AirPlay receiver on any device where it is not needed.

For additional information, please see the full article at:
https://www.oligo.security/blog/airborne