There have been 37 successful phishing attacks in the past year sent to Quinnipiac University e-mail addresses to con users for information or identity theft reasons. The most recent attack occurred over Labor Day weekend. At least one account, a professor’s, is known to have been compromised.
Director of Network Operations and Information Security Brian Kelly was notified of the attack late Sunday, Sept. 5, and has since determined it as a spear-phishing attack–a type of e-mail fraud which specifically targets an organization.
“From a security standpoint, it’s clear these people took time to research and put thought behind it,” Kelly said.
This particular attack was sent with the subject line “Dear Quinnipiac University Webmail User,” and even though the sending e-mail address was from an att.net server, the sender was identified in the “From” line as Quinnipiac University. The address for Quinnipiac’s Mount Carmel campus was included on the bottom of the e-mail, along with a working URL which if clicked, opened a user login screen for Microsoft Outlook. The exact message that appeared in Quinnipiac inboxes is now posted on MyQ’s Phishing Aquarium, a site dedicated to helping the Quinnipiac community determine if an e-mail is “phish or legit.”
“No matter how legitimate the e-mail looks or how well written the message is, even if you know the source, even if it’s your mother, the message I’d like to get out is you should never send your ID and password,” Kelly said. “You should always be suspicious. Every day there is someone out there trying to scam the world.”
AOL was the Internet Service Provider (ISP) which notified Quinnipiac of the most recent attack.
According to Kelly, he gets a message from an ISP notifying him their customers are receiving spam from the Quinnipiac ISP.
“AOL and Gmail are really good at sending a lot of information with even the original spamming message,” Kelly said.
Because the professor’s account was compromised on Sunday, by Monday Quinnipiac addresses were already on a “blacklist” for AOL. Blacklisting is when legitimate e-mails get blocked as a result of these attacks.
“When this happens, when credentials are compromised, QU in effect becomes a spammer. Our addresses then get blocked because the fight against spam is global,” Kelly said.
The Help Desk received calls from students early in the week that their e-mails were coming back from servers such as AOL.
“It’s a direct impact on the community,” Kelly said. “Even though you didn’t respond you might be impacted because you can’t send out e-mails.”
Quinnipiac remains on such a blacklist until they take action by determining the owner of the @quinnipiac.edu address and disable it to conduct preventive maintenance.
Though the number of accounts that received the latest phishing e-mail is not yet available, according to Kelly, the spammers generally reach “a good portion,” meaning a couple thousand Quinnipiac users.
According to Kelly, a university such as Quinnipiac is targeted for reasons that are two-fold. First, the spammers can log in with the compromised account and send spam to even more accounts across the world. Second, students have access to expensive databases for which Quinnipiac pays annual fees. To those who do not have such access, it becomes highly coveted.
As soon as Kelly and his team of information security officers know about the attacks, blocks are put in place to stop people from responding. They block anything going back out of the enterprise with the specific subject line that came in as a phish.
“We try to block responses but we can only block what we know about,” Kelly said. “There is some lag time between detection of the attack and trying to stop it.”
To decrease that time, they are experimenting to get better at internal detecting of phishing attacks by examining how many e-mails the average Quinnipiac student sends per minute, and per day. When accounts are compromised, the spammers log into the account immediately and start sending a couple thousand e-mails out in a few minutes.
“There is some legwork until we understand this,” Kelly said, “but the hope is to limit the damage of other places blocking us.”
Another of his initiatives is to remove Quinnipiac e-mail addresses from the public Quinnipiac website’s directory. Student, faculty and staff e-mail addresses are available on this site to anyone who searches for them.
“I’d just like to see if students really use it, if its useful,” Kelly said. “If not, their removal may cut down on student attacks that receive messages and cut down on the opportunities to respond to one.”
For Quinnipiac, last October and July were the months the most phishing attacks occurred. While most months see fewer than two attacks, July and October both reached at least 10. There were also increases in attacks on long weekends, and at the beginning and end of semesters.
“The bad guys are putting thought into understanding patterns of the academic year,” Kelly said. “The better the spam e-mails are written, the more successful the attack is. People are busy. They notice it’s from Quinnipiac, and the better written it is, the higher probability there is that people will answer.”
October is National Cyber Security Month. Kelly is planning events on campus to raise awareness for what the Quinnipiac community can do to detect future phishing attacks even earlier.
“Trying to get people to look at an e-mail and detect good from bad is a losing battle,” Kelly said.
To fight this, he will be highlighting a lot of material from staysafeonline.org, a resource website committed to cyber security.
“Think about your day and how many sites you log into only protected by user names and passwords,” Kelly said.
“I always worry that people tend to use the same password everywhere. Would the bad guys then try to get into our Facebook account or bank account with the same credentials? I only say that to get across why people should care.”
