, SecurityFocus 2008-02-01
Online fraudsters have put college students in their sights.
In an ongoing attack, students and faculty at nearly a dozen universities and colleges have been targeted by phishing e-mails since the middle of January. The e-mail messages masquerade as missives from each school's help desk, asking that the student confirm their username and password as well as requesting more personal information, including date of birth and country of origin.
The attacks, which appear to have started as early as January 20 and are ongoing, have targeted a few thousand e-mail addresses at each school, according to reports posted to two security mailing lists used by school information-technology professionals.
"The attacks are fairly widespread (with)in U.S. .edu," Douglas Pearson, technical director of the Research and Education Network (REN) Information Sharing and Analysis Center (ISAC), stated in an e-mail interview. "We've seen large, small, public, and private institutions attacked."
Schools targeted include Columbia University, Duke University, Princeton University, Purdue University, and the University of Notre Dame. The e-mail accounts of students and faculty that fall prey to the fraud are used, in most cases, to send out further spam as part of a lottery scam, Pearson and IT administrators stated. The attack may have already hit European schools earlier in the month, one university IT administrator stated on a security mailing list.
The lottery scam, known also as a Nigerian Advance Fee scam, offers extremely large sums of money to the victim, if the victims first sends a smaller amount to the fraudster. In reality, the group running the scam will continue to ask for money from the victim, delaying the final payoff. The con is also known as a 419 scam, after the Nigerian legal code that it violates.
Some victims of the scam continue to send increasing sums of money, in hopes of getting back the funds that they have already sent. In 2004, a financial analyst stole more than AU$1 million from his clients, paying increasing amounts of money to the fraudsters in hopes of correcting his original mistake. The scams have also reportedly been used to fund terrorist groups.
In the latest phishing scam, the e-mail message, of which there are a few variations, carries the subject line "VERIFY YOUR (address) EMAIL ACCOUNT NOW" and tells recipients that the school is deleting unused e-mail accounts. The e-mail addresses include those of students and faculty as well as "functional" addresses that don't correspond to a particular person, according to a Princeton University official. The phishing scam requests that the recipient reply to the e-mail with their username, password, date of birth and country of origin. The messages Reply-To address is forged to make it appear to come from the specific school's help desk or information services department.
At Princeton University, less than a dozen people fell prey to the original e-mail scam, sending along their usernames and passwords to the fraudsters, a representative of the university told SecurityFocus. The Office of Information Technology blocked compromised accounts from sending spam and contacted the affected students.
"From our end, we were pretty fast about getting the problem fixed and preventing other things from happening," said Emily Aronson, a spokeswoman for Princeton University.
Suggesting that the phishing scam was not just about sending out spam, the university blocked a request to the school's human resources database to change the name of one victim. The request was issued from a computer belonging to a domain registered to Nigeria, a Princeton IT administrator stated.
A warning posted to the Educause security mailing list by a member of the University of Cincinnati's information services stated that a large proportion of their students fell for the attack.
Phishing attacks targeted at a specific subset of people, while fairly common in the corporate world and against banking customers, have not often been used against students. Princeton and other schools sent out warnings to their students and faculty about the attacks and stressed that users should never give out sensitive information or passwords to other people.
"The best defense against this kind of attack is a continuing awareness program," stated one IT administrator on the UniSOG mailing list. "Having said that; we all know that users are a notorious weak link, and this kind of attacks will continue to be successful."
The academic network response group, REN-ISAC, called for schools to use its notification system to send information about the incidents to other institutions.
"REN-ISAC members have shared, in our private trust community, a number of other practical responses," Pearson said. "We don't encourage public discussion of specific responses because that's a useful feedback loop for the miscreants. We do suggest that university security teams join REN-ISAC in order to participate in the sensitive information sharing."
UPDATE: The article was updated with additional information on the attack, including that faculty, as well as students, have been targeted.
If you have tips or insights on this topic, please contact SecurityFocus.