The Observer, April 4, 2008
Volume XL, Issue 23
Students fall victim to massive phishing scheme
The Internet has become a convenient way to address several daily activities, like banking, paying bills, or purchasing tickets to the ball game, but in the process, sensitive information is vulnerable, including credit card numbers and social security numbers.
Lately, there has been an increase in "phishing" scams in an attempt by malicious users to gain valuable information. Phishing attacks are attempts to gain sensitive information by sending e-mail messages that appear to come from legitimate companies or individuals.
The e-mail messages may ask to verify account information for any number of reasons. In the process, the recipient is asked for guarded information such as usernames, passwords, birthdates, social security numbers, and account numbers.
"Almost no reputable enterprise will ever ask you for such information over e-mail," explained Rob Kinsey of the Student Affairs IT Operations Group. Rather, most sensitive material is requested either through regular postal mail or over the phone. "Maintain a healthy skepticism with e-mail; treat all messages as junk mail unless proven otherwise," said Kinsey.
On March 5, Case Western Reserve University was affected by one of these scams. Random students and faculty members became victims of what is called a "spear phish" attack, a more severe form of a phishing scam. A spear phish attack targets a select group of individuals and appears to come from someone with whom the recipient is familiar.
The one-day attack occurred at approximately 4 p.m. and was traced to Texas A&M University. A remote computer that was logged onto the Texas A&M University server through VPN attempted to robotically send thousands of e-mail messages to random members of the Case Western community. The e-mail message appeared to come from the university help desk.
The message, which said it was sent to all Case e-mail account owners, stated that the messaging center was upgrading the database and e-mail account center. All unused Case e-mail accounts would be deleted to create more space for new accounts. If users did not update their information by responding to the spear phish e-mail, the user's account would be terminated. The user was asked to verify personal information including username, password, date of birth, and country of birth.
Within five minutes after the first e-mail was sent, Kinsey received two phone calls and an e-mail reporting the spear phish attack. With this information, he was able to decrease the amount of harm that the fraud could have actually caused. Kinsey reported the attack by sending an e-mail to Student Affairs. By 4:50 p.m., the help desk had posted a message on their blog informing users of the situation. They also provided information on changing passwords for anyone who had succumbed to the fraudulent user's requests.
With the help of the Texas A&M University help desk, the scam was traced to a remote computer that reportedly belonged to a faculty member that was on sabbatical. Most likely, Kinsey said, the faculty member's computer was compromised and resulted in such messages being sent. After tracing the e-mail log, the Texas A&M University help desk discovered that thousands of e-mails contained an erroneous "x" at the end of the e-mail address which then read as "casex.edu." As such, thousands of e-mails were never delivered.
If the person who was attempting to maliciously gain such information was successful, he or she could cause serious damage, especially on the Case network. A username and password is treated like an electronic signature for many Case Western websites to verify a user's identity. Within student affairs alone, it is used on more than 100 different forms. Additionally, if somebody gained access to a Case username and password, one could send more spam messages to other Case users.
If an employee's information was leaked, the malicious person could alter employee hours worked, or preferences for certain benefits. Professor accounts are linked to Blackboard sites, so student grades could be altered or sensitive information, such as answer keys to tests, could be released.
Faculty, staff, and students are encouraged to update their computer antivirus program regularly with various software available to students through Case Western's network. Further assistance is available on the ITS website at http://securityaware.case.edu. The site features tips to protect against various attacks, including phishing scams.
To avoid future phishing scams, it is important to not click on any links within a suspicious e-mail message. If you fell victim to this or other attacks and your password has been compromised, you can change it at https://its-services.case.edu/my-case-identity/password/change/.
