Universities across the world are facing a slew of phishing scams, with both students and staff falling victim to spammers who trick individuals into divulging personal information, mainly university web mail usernames and passwords.
Steve Hillman, Simon Fraser University IT architect, said phishing is an attempt to get people’s usernames and passwords to access their systems and can take on different forms.
“Banking phishing go after banking accounts and passwords, [ . . . ] same with credit cards. With universities in general, they’re just after your email account so that they can then use your email account to send out spam,” he said.
Hillman said that universities are often the targets of phishing operations because they usually have vast email systems, large data pipes and little restrictions on outbound mail, and thus can send out thousands of messages very quickly.
“They can tailor the message to be relatively generic, but to the average student, and even staff, it looks official enough that they will be duped into responding to it,” said Hillman.
“On a particular phishing blast they might get half a dozen or a dozen replies that are legitimate and then they’ll sit on them for a while, up to many months, and then they’ll send out a blast of spam and then they’ll never use the account again.”
Ken De Cruyenaere, University of Manitoba computer security coordinator said phishing attempts are a daily occurrence at the U of M, and that, within the past month or so, there have been a few cases where both staff and students have replied to the emails with their personal information.
He said that sometimes within minutes the compromised account is logged into and used to send spam to thousands of web mail users.
In order to prevent mass amounts of university accounts being spammed, university IT departments have a number of measures put in place, including spam filters and limits on the number of emails an account can send out in a certain time period.
“We have spam bulk mail filtering, and if something looks like bulk mail we let the first 99 get delivered and then we start blocking it after that,” said De Cruyenaere at the U of M.
“If it’s coming from a University of Manitoba account, then there is no blocking. That’s why it gets painful if a university account starts spamming the university. It gets sent to potentially thousands of U of M IDs, instead of just 100.”
He said that web mail accounts cannot send more than a certain number of emails — a number he did not want to specify — in an hour or it is temporarily blocked, at which point steps are taken to determine whether the emails are legitimate or not.
“Most of the time it turns out to be some broken account that’s logged into from Nigeria, usually,” but others have come from Israel and China.
De Cruyenaere said that an account is shut down once it is confirmed that it is spamming.
Hillman said that when SFU introduced a new emailing system, there was no mechanism in place to restrict the number of emails sent per day.
During this time, a number of email accounts were compromised and, without restrictions in place, sent enough spam to lead the university to being blacklisted.
According to Hillman, there are a number of sites on the Internet that monitor for spam being sent out. If these sites detect too much spam from a particular source, it is put on a list as an undependable source of mail. Other sites can choose to follow this “blacklist,” and, if they receive mail from any of the listed sites, they can choose to reject it.
“In one case, we were blacklisted from Hotmail, which actually set up lots of nasty email loops. [ . . . ] It took us several days to clean that mess up and for a while there were a lot of people not receiving their mail,” said Hillman.
He said that since limits on emails sent were put in place, the university has not been blacklisted.
Hillman said that this week a phishing message was sent to the university that instead of asking people to respond by email, directed them to a website to log in.
“Luckily the website didn’t look like our own centralized authentication site so it was relatively easy to tell it was a phishing attempt,” said Hillman.
He said that other universities have reported phishing messages that have directed users to more convincing university login pages, making it even more difficult for an unsuspecting user.
De Cruyenaere said that no legitimate organization would ask for your username and password.
According to Hillman, phishing emails are so widespread that “pretty much every university has had to deal with it in one way or another.”
“It’s a booming market, it’s well organized and in many cases it’s several steps ahead of the security experts who are trying to crack down on it,” said Hillman.
“It’s one of those things like spam itself. It’s just a part of doing business on the Internet.”
