Share page: 

Campus battles multiple phishing attacks

August 27, 2012 12:00AM

The word “fishing” normally brings to mind happy thoughts of relaxing days spent on the lake with family and friends, but for members of PSU’s OIS teams the word has a completely different meaning and a slightly different spelling.

“It’s phishing with a ‘ph’ and it’s one of the most disruptive things that can happen to an institution’s electronically provided services,” said Tim Pearson, assistant director of information services. “It’s a scam by people who want to get your password to one or more of the electronic systems you have access to.”

Most commonly, the scam reaches its victims through e-mail, but it could be a fake telephone call or, in extreme cases, a personal visit from a stranger pretending to be someone they aren’t.  However they do it, once the bad guys have your password, the harm they do is limited only by the systems they now have access to.

“One nefarious group we’ve been hearing a lot from recently consists of phishermen trying to gain access to your e-mail account to send spam to thousands of people, using your name,” said Pearson.

Here’s how an attack via e-mail normally works: You receive an e-mail from someone posing as a member of the university’s IT department. The e-mail informs you that your mailbox is oversized or not working properly, and asks you to provide your e-mail address and password. Once the scam artist gets your password, they begin to send tens of thousands of spam e-mails to people all across the world, and every one of those spam messages has your name attached to it.

Over the past few weeks, Pittsburg State faculty and staff have seen thousands of these types of e-mails hit their inbox.

“With only minor re-wording, these phishing e-mails could ask you for log-in information to much more sensitive and potentially damaging systems,” explained Pearson. “Even with all the disruption it’s caused, we’re actually fortunate that the phishing attacks we’ve been seeing lately have been limited to attacks against e-mail accounts and not payroll or student records.”

Although most people have recognized the e-mails as spam and deleted them, the spammers have successfully gotten five people to provide their e-mail passwords.

“These five accounts have generated tens of thousands of spam e-mails to contacts throughout the world,” Pearson explained. “Recipients initially accept this spam because it is from a ‘trusted’ source, but soon, the receiving systems identify the spam attack and simply reject any e-mails from the originating site. In our case that is Pittsburg State.”

The end result is that e-mail from any Pitt State account is “blacklisted.” These blacklists are shared by tens of thousands of companies and institutions in the worldwide fight against spam.

“We use two such worldwide blacklists as part of the anti-spam defenses protecting PSU,” said Pearson.

The offender remains on the blacklist for a set period of time, or in some cases, until a request for removal is received and processed by the blacklist provider. This makes legitimate business communication nearly impossible for offices such as Career Services.

“It’s really been a difficult few weeks for us,” said David Hogard, assistant director. “Many of our e-mails have been returned because businesses have listed them as possible spam. Thankfully we have personal relationships with many of these corporations and are able to have our e-mail servers removed from the list, but it’s a time consuming process. I have a new-found appreciation for the need for IT security.”

Although spam filters help, Pearson says the best way to avoid becoming a victim of these “phishermen” is to simply ignore any e-mail that asks for any personal information.  He asks that people be similarly cautious and protective when receiving telephone calls or even visits from people they don’t know.

“We will never send you an e-mail that asks for your password,” he explained. “Never e-mail your personal information or click on an e-mail link that asks you to enter this type of information. If you have any questions about something, call us, and if you think you’re being ‘phished,’ send us the suspect e-mail. When it comes to data protection in general and e-mail in particular, a little skepticism is a good thing.”

©2012 Pittsburg State University