Members of the Quinnipiac community were attacked via e-mail on Jan. 26 when a spear-phishing attack targeted the Quinnipiac network. The e-mail fraud scam went out to more than 100 inboxes.
Brian Kelly, director of information security and network operations, has the job of keeping the Quinnipiac network information safe from scams and hacking.
“This one and the more recent ones are getting more specific,” Kelly said. “They’re doing their homework.”
Phishing, according to SearchSecurity.com, is an e-mail scam conducted for the purposes of information or identity theft. The incident on Jan. 26 was a spear-phishing attack that also could have effected colleges in the surrounding area such as Yale University or Wesleyan University.
“While the full number is not known, my rationale is that I would rather stop it and fix it,” Kelly said. “The time spent figuring out how widespread it is, is wasting time to retaliate.”
Kelly has filters set up to catch phishing attacks, but this time it was a Computer Help Desk Student Technology Academic Resource (STAR) employee who received the e-mail and forwarded it to Kelly. Example of such fraudulent e-mails can be found at MyQ in the “Phishing Aquarium,” which was set up as an awareness vehicle.
So far this academic year, Quinnipiac has received a half-dozen phishing attacks targetted specifically for .edu e-mail addresses. In addition, there were several dozen attacks that were not targeted. Attacks in October dealt with Facebook, PayPal and banking accounts.
“Phishing is an attack mechanism that’s everywhere, even Twitter,” Kelly said.
According to Kelly, the “bad guys” have gotten lazy, but the phishing statistics have increased. Previously, complicated scripts would have to be written, but now they are simply asking for one’s information.
Kelly maintains in his e-mail signature that “QU IT will never ask for your password via e-mail. Don’t share your password with anyone!”
“We try to put it everywhere,” Kelly said. “Specifically for QU, no one will ever ask you for your password. Passwords are like toothbrushes, they shouldn’t be shared. It’s hard to educate people.”
If one does respond with his or her credentials, “the bad guys” log in with those credentials and start sending more spam from that address. The account will start sending about 5,000 e-mails a second instead of the usual couple messages an hour.
“I’d rather get 1,000 messages a day than to have one student fall for it,” Kelly said.
If the response does go through, Kelly advises to change the compromised password immediately. There is a password reset link available on MyQ. If that same password is used for other sites, those should be considered compromised and changed as well.
According to Kelly, phishing scams are likely to surface right after breaks. Quinnipiac got hit badly in September and seems to get hit right after spring/holiday breaks. They also often come at the beginning of a semester because it is a moment that is hectic for everyone and students get a lot of e-mails from professors at that time.
Contact Kelly at [email protected] or 203-582-3625 if an e-mail looks suspicious.