Threat Detection and Response Updates

Incident Report: Phishing Emails Impersonating Director-General Requesting Personal Information from Staff

Incident Summary Between January 1–20, 2025, several employees received emails spoofing the Director‑General’s address, requesting urgent submission of personal data for an “internal audit.”

Timeline

• Jan 21, 18:00 UTC – First report from staff.

• Jan 22, 09:15 UTC – IT Security confirms sender domain is misspelled.

• Jan 23, 10:00 UTC – Organization‑wide phishing alert issued.

Detection

• User reports to support@globalcitizenshipfoundation.org

• Email gateway flagged anomalies in DKIM and SPF records.

Immediate Response

1. Blacklisted spoofed domain and associated IPs.

2. Added content rules to quarantine messages with urgent‑data‑request keywords.

Containment & Remediation

• Deployed user‑level multi‑factor authentication (MFA) reminder.

• Blocked external forwarding of sensitive document attachments.

Communication

• Sent all‑staff advisory outlining signs of executive‑impersonation scams.

• Circular issued on safe email practices.

Long‑Term Measures

• Bi‑annual phishing simulations targeting executive‑impersonation.

• DMARC policy shifted from none to quarantine for inbound mail.

• Issuance of VPN accounts to team members.

Current Status Resolved—no reported data breaches. Monitoring continues.

Lessons Learned

• Executive‑impersonation remains high‑risk; regular reminders crucial.

• Gradual DMARC hardenings reduce spoof surface.

Incident Report: Spoofed University of Texas Site

We have been alerted to the spoofing of the University of Texas website on a subdomain of the Global Citizenship Foundation (community.globalcitizenshipfoundation.org), which in the past has accommodated our community site via Heartbeat.Chat platform.

In response, we have coordinated with the Heartbeat Community team to restrict access to the compromised sub-domain and have enhanced our IT security measures.

Spoofed University of Texas Subdomain

Incident Summary On April 20, 2025, monitoring tools flagged unusual traffic patterns on our community subdomain (community.globalcitizenshipfoundation.org). Further investigation revealed a cloned University of Texas login portal hosted on this subdomain.

Timeline

• Apr 20, 10:15 UTC – Automated alert for high-volume traffic to the dormant subdomain.

• Apr 20, 13:26 UTC – Security team analysts confirm spoofed site using Heartbeat.Chat infrastructure.

• Apr 20, 14:32 UTC – Access to affected subdomain suspended.

Detection

• Anomaly detection via web traffic insights

Immediate Response

1. Disabled subdomain DNS entry and revoked related SSL certificates.

2. Notified Heartbeat.Chat operations to quarantine the compromised container.

Communication

• Internal alert broadcast to IT, Legal, and Communications teams.

• Drafted public advisory for stakeholders.

Long‑Term Measures

• Quarterly red‑team phishing and spoof drills.

• Enhanced subdomain issuance policy.

• Created the Threat Detection and Response Notification Center

Current Status Closed—no further spoof sites detected.

Lessons Learned

• Importance of proactive domain/subdomain enumeration and audits.

Incident Report: Phishing Emails Impersonating Director-General Requesting Gift Card Purchases

Several staff members have reported receiving scam emails. These emails falsely claim to be from the Director-General and request that the recipient purchase gift cards.

Incident Summary In early December 2023, an email impersonating the Director-General (DG), asking staff to discreetly purchase ten Apple iTunes gift cards and send images of the scratched codes for reimbursement later. The messages originated from a spoofed “officemail2579@mail.ru” address.

Timeline

• Nov 30, 14:15 UTC – First phishing email sent from officemail2579@mail.ru to a staff member, posing as the DG and requesting discreet handling.

• Dec 8, 07:07 UTC – Employee finds the thread in spam and forwards to colleague for verification.

• Dec 8, 07:56 UTC – Colleague confirms scam and reports to IT Security.

Detection

• Proactive vigilance on part the staff requesting confirmation from the DG.

• Request for gift cards to personal email, off-domain sender.

Immediate Response

1. Blocklisted officemail2579@mail.ru.

2. Issued an immediate “Do Not Purchase/Do Not Respond” alert to all staff.

3. Adjusted spam-filter rules to quarantine similar messages.

Containment & Remediation

• Reviewed mail logs to confirm no other staff followed through.

• Performed a quick scan of inboxes for similar malicious messages.

• Enforced banner warnings on external emails impersonating internal domains.

Communication

• Sent an all-staff advisory detailing the phishing tactic and red flags.

• Shared an information circular on recognizing thread-hijack phishing (Dec 9).

Long-Term Measures

• Updated phishing simulation program to include thread- continuation and gift-card scenarios.

• Updated our Purchasing and Procurement policy and procedures.

Current Status Resolved—no financial losses reported, and no further similar emails detected after filter updates.

Lessons Learned

• Thread hijacking and delayed requests can bypass conventional urgency filters.

• Clear purchasing policies and multistep verification stops unauthorized buy-in.

Recommended Actions

1. Do Not Respond: Staff should not reply to or interact with these emails.

2. Report: Forward any suspicious emails immediately to IT Security.

3. Awareness: Encourage staff to verify any unusual requests from senior management through official channels.

Ensure all personnel are aware of this phishing attempt to prevent any potential financial loss. Stay alert and report any suspicious email. PLEASE DO NOT OPEN ANY LINKS.