Skip to main

Update: Mercy's COVID-19 Policies

For the latest information about Mercy’s COVID-19 policies click here.  STUDENTS: To upload your vaccination documentation, click here.  

Multiple Vulnerabilities in Apple Products

September 2021

Security Vulnerability
The Office of Information Technology (OIT) has become aware of security vulnerabilities impacting multiple Apple Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. 

What do I need to do? 
Apple has released security updates to address these vulnerabilities. OIT recommends that College Community users apply these updates to their Apple Product(s) including personal computers, phones, tablets, and other computing devices as soon as possible. To update Apple devices, please follow the steps below: 
•    Update the software on your Mac - Click here 
•    Update your iPhone, iPad, or iPod touch - Click here 
•    Update your Apple Watch - Click here
•    Update your Apple TV - Click here
•    Update your Windows iTunes – Click here
 

Alert – Major Vulnerability in Apple Products

September 2021

The Office of Information Technology Services has become aware of multiple vulnerabilities impacting multiple Apple Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here.

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for remote code execution. 
 

  • Safari is a graphical web browser developed by Apple, based on the WebKit engine.
  • watchOS is the mobile operating system for Apple Watch and is based on the iOS operating system.
  • iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
  • iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
  • macOS Big Sur is the 17th and current major release of macOS.
  • macOS Catalina is the 16th major release of macOS.
  • macOS Mojave is the 15th major release of macOS.

What do I need to do? 

Apple has released security updates to address these vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system. OIT recommends that College Community users apply these updates to their Apple Product(s) including their personal computers, phones, tablets and other computing devices as soon as possible.  

To update Apple devices, please follow the steps listed below: 

 

Major Vulnerability in Microsoft Products (Zero Day)

July 2021

The Office of Information Technology (OIT) has become aware of zero-day vulnerabilities impacting multiple Microsoft (Windows Operating System) Products. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here and here.

What do I need to do? 

OIT is automatically applying these critical updates to all College computers, including desktops and laptops. OIT recommends that College Community users take a few minutes to restart their college computers to ensure that the needed updates have been applied successfully. 

To check manually for updates, please Select Start -> Settings -> Update & Security -> Windows Update -> Check for updates (or install now)

OIT also recommends that College Community users apply these updates to their personal Microsoft Product(s) including their Windows Computers, Windows Phones, Surface Tablets, and other Windows computing devices as soon as possible.  

To update Microsoft devices, please follow the steps listed below: 

Fraudulent Unemployment Claims

RE: Fraudulent Unemployment Claims

The Office of Human Resources has become aware of a surge in fraudulent unemployment claims.

  • Please see notification from IRS click here.
  • New York State Police also warned of an uptick in fraudulent claims, click here and click here.
  • Bad actors Criminals are using stolen identities, likely stolen from previous breaches and systems.

We recommend college community members remain vigilant and use due diligence when browsing third-party sites, banks, financial institutions, and others.

  • Change password(s) for any personal and financial account(s) and monitor them closely for any suspicious activity. Password guidelines click here
  • Follow Information Security Tips on our website click here
  • Cyber Security Tips to Protect Privacy click here
  • Cyber Security Tips to Protect from Phishing click here

In addition, community members may want to do the following:

  • Place a free fraud alert on accounts with the three credit bureaus (Experian, TransUnion, and Equifax) click here
  • Getting a free credit report click here
  • Report any suspected identity theft to the FTC click here
  • File a report with their local police department, if you think you have been a target of Identify Theft

If you receive a notice of a fraudulent unemployment claim from the NYS DOL (Department of Labor), please visit the DOL website to report the fraudulent activity activity click here and FTC website click here. Please reach out to Human Resources hr@mercy.edu for any assistance.

 

Fraudsters Impersonating UNICEF Use Spoofed Emails & Fraudulent Checks to Defraud U.S. College Students for Financial Gain

The Department of Campus Safety and Office of Information Technology have been made aware of the following Alert:

References in this Academia product to any specific commercial product, process or service or the use of any corporate name herein is for informational purposes only and does not constitute an endorsement, recommendation, or disparagement of that product, process, service or corporation on behalf of the FBI. 

The FBI Miami, Tampa, and Jacksonville Field Offices, in coordination with the FBI Office of the Private Sector (OPS), prepared this Liaison Information Report to inform the education facilities sector of spoofed emails and fraudulent checks being employed by individuals impersonating employees of the United 
Nations International Children’s Emergency Fund (UNICEF) to defraud U.S. college students for financial gain. Recent reporting from the FBI’s Internet Crime Complaint Center (IC3) indicates fraudsters posing as UNICEF employees used a variety of tactics to obtain personally identifiable information (PII) from U.S. college students and, when successful, defrauded students of an average of $3,000 each.  

In most of these schemes, fraudsters sent an email to the student’s college email address, with the sender’s address typically appearing to originate from another student at their college, concerning an internship or part-time employment position with UNICEF. The fraudsters usually mailed checks with United States Postal Service (USPS) tracking to the students, containing their first paycheck and additional funds allegedly intended to purchase items for foster homes or orphanages on behalf of UNICEF.  After the students deposited the checks into a personal banking account, the fraudsters directed the students to purchase cryptocurrency or gift cards, or to otherwise transfer the funds to another financial account. Financial institutions later determined the checks to be fraudulent. Examples of these schemes impacting Florida college students included, but were not limited to, the following: 

•    In March 2021, a Florida college student received an email to their student email address regarding an internship opportunity with UNICEF to work from home, allegedly to purchase items for foster homes. Per the email’s instructions, the victim contacted a “director” who asked for personal information including the victim’s name, home address, and telephone number. About two weeks later, the victim received a cashier’s check which the victim believed was intended to purchase items for foster children. A day after depositing the check, the “director” instructed the victim via text message to purchase and then transfer bitcoins, as well as transfer $500 from a cash app, to other accounts. The victim’s financial institution indicated the check was more than likely fraudulent.

•    In March 2021, a Florida college student received an email to their student email address regarding a part-time job opportunity with UNICEF. The victim completed an application providing personal information including their social security number. Two weeks later, the victim received an email from a “supervisor” with a job offer and information advising the victim that they would begin receiving assignments shortly. The victim subsequently received a text message providing a USPS tracking number to track a package containing a check that allegedly was sent by the agency. The “supervisor” instructed the victim to deposit the check into a personal bank account and then to purchase six $500 gift cards. After each purchase, the “supervisor” asked the victim to take photographs of the receipt and gift card and send them to the “supervisor.” The victim later learned the check was fraudulent, after the gift cards had been redeemed. 

•    In March 2021, a Florida college student received an email from an alleged student regarding a professor who was seeking students who wanted to earn extra money working with UNICEF. The student contacted the “professor” via email and the two began corresponding about the job position. The “professor” then sent a text message to the student, advising a check was en-route and providing a USPS tracking number. While the student was waiting for the check to clear, the “professor” asked the student to wire the funds to the manager of a foster home. After the student had wired the funds, the student’s financial institution determined the check had been altered or was fictitious.

•    In December 2020, a Florida college student received an email from an alleged student attending the same college, regarding a part-time, remote position with UNICEF during the COVID-19 pandemic. The email instructed the student to contact another email address for more information. After contacting the indicated email address, the student received an application via an online Google Docs form. The application contained a job description and requested personal information including the student’s name, telephone number, and email address. The student then received a “welcome aboard” letter with the telephone number of a “contact supervisor.” The “supervisor” reached out to the student regarding a check that had been sent. Once the student received the check, the “supervisor” then sent instructions regarding which cards the student should purchase and to which addresses the student should send the cards.

Indicators 
The following indicators may assist in identifying related suspicious activities. These suspicious activities include but are not limited to any individual, group, or activity and should be observed in context and not individually. 

•    Unsolicited emails containing grammatical and spelling errors, requesting PII, or originating from domains that are not organization specific. A best practice would be to verify the authenticity of email addresses by contacting organizations through their official websites.

This Academia Product was disseminated from OPS’s Information Sharing and Analysis Unit. Direct any requests and questions to your FBI Private Sector Coordinator at your local FBI Field Office:  https://www.fbi.gov/contact-us/field-offices 

Alert – Major Vulnerability in Apple Products (Zero Day)

Alert – Major Vulnerability in Apple Products (Zero Day)

Security Vulnerability
The Office of Information Technology Services has become aware of multiple zero-day vulnerabilities impacting multiple Apple Products - known as CVE-2021-1782, CVE-2021-1870 & CVE-2021-1871. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. More information can be found here.

For more details on these vulnerabilities, please visit the Apple Security pages for the following products:
•    Xcode 12.4
•    iCloud for windows 12.0
•    iOS 14.4 and iPadOS 14.4
•    tvOS 14.4
•    watchOS 7.3
What is a “Zero-Day” Vulnerability? 
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.

What do I need to do? 
Apple has released security updates to address these vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected system. OIT recommends that College Community users apply these updates to their Apple Product(s) including their personal computers, phones, tablets and other computing devices as soon as possible.  

To update Apple devices, please follow the steps listed below: 
•    Update the software on your Mac - Click here 
•    Update your iPhone, iPad, or iPod touch - Click here 
•    Update your Apple Watch - Click here
•    Update your Apple TV - Click here