Colleges Are Targets of E-Mail Scam

April 04, 2008

An e-mail scam has hit thousands of users at dozens of colleges over the past few weeks, leaving network administrators scrambling to respond before campus computer accounts are taken over by spammers.

Students, professors, and staff members at the affected colleges received e-mail messages that purport to come from the colleges' help desks, asking users to reply with their log-in and password, and in some cases other personal information including birth date.

But the messages actually come from malicious hackers who use the information to send spam messages from the accounts. And administrators worry that the compromised accounts could be used to do further damage to the university networks.

The attacks are "pretty broad" across higher education, says Douglas Pearson, technical director of the Research and Education Networking Information Sharing and Analysis Center at Indiana University at Bloomington. "And it seems to be growing."

At Indiana University, thousands of the scam messages recently started hitting the campus network each day, says Nate Johnson, lead security engineer for the university.

"We had one incident in the past week where within four minutes of the user disclosing their password, the attacker had managed to launch off 10,000 spam messages," says Mr. Johnson. "We contacted the users, they changed their pass phrases, and the hackers no longer had access to the accounts."

Phishing New Waters

The type of attack is known as phishing. In the past, most phishing e-mail messages pretended to come from banks, from eBay, or from the online payment service PayPal. Some college officials say that this year is the first time they have seen phishing schemes that pretend to be sent from college IT departments.

At North Carolina State University, some 2,600 users received the targeted phishing messages in January. What's worse, the bogus messages started appearing just as the university's technology staff was switching to a new campuswide e-mail system.

"This couldn't have come at a worse time," says Tim S. Gurganus, an IT-security officer at the university, noting that some users might have expected a note from administrators regarding the e-mail changeover.

The messages were not riddled with grammatical errors, as some earlier phishing messages were. One of the messages read: "We are currently upgrading our data base and e-mail account center ... Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently."

In the first days of the attack at North Carolina State, about 40 users responded, presumably falling for the scam, says Mr. Gurganus. At least three of those accounts were quickly used by the attackers to send hundreds of spam messages, including more copies of the phishing message. The sudden burst of e-mail coming from the three e-mail accounts set off scanning programs used to monitor the campus network for suspicious activity, and within about an hour, campus administrators disabled the accounts and told the users to change their passwords, he says.

The university then sent a warning message to all campus users alerting them not to give their username and password to anyone via e-mail.

Mr. Gurganus also sent a message to an e-mail list for campus-security administrators asking whether others had encountered the problem, and he learned that North Carolina State was not alone.

"I got responses from 20 different universities saying they'd seen similar stuff," he says. "I think they started with bigger ones, like the state universities, and now they're going after the smaller schools," including community colleges, he adds.

Spreading the Word

Campus officials have been trading advice with colleagues on several campus-security e-mail lists as they work to try to stop the messages from coming in. But that can be tricky because the messages do not contain suspicious key words—like "Viagra" or "mortgages"—that are common in spam messages that colleges routinely block.

So colleges have also been renewing their efforts to educate campus users that if you get an urgent e-mail message asking for your password, just delete it.

Aware that it can be hard to get the attention of students, administrators at Louisiana State University at Baton Rouge have tried to use humor to get that message across. In a public-awareness campaign that recently won a national award, the university has published a poster featuring a cartoon character named Tad who replies to a phishing e-mail.

Pictures of fish are shown falling on Tad as he crouches under a table. "Tad may as well have shouted his personal information to the world," the poster says. The campaign's motto: "Don't be a Tad."