Phishing scam blacklists University’s domain
An aggressive phishing campaign successfully attacked about 36 University email accounts within the last month, and CITES specialists said many other accounts may have been compromised.
“It’s the worst scam I’ve seen since I started in 2005,” said Brian Mertz, chief communications officer at CITES. “This campaign is particularly aggressive.”
In the latest string of attacks, hackers have targeted University students through “lures” that scare students into giving away sensitive information like their email passwords. With that information, hackers use the University accounts to spam others.
“(Hackers will) tell you you won’t have your email account anymore,” Mertz said. “Or they’ll tell you to update your bank account information for security reasons.”
Hackers spam randomly generated lists of email addresses, some of which are made up. These fake addresses cause thousands of messages to bounce back to the inbox of the hacked email account. As a result of the amount of spam coming from University email accounts, many University email addresses have been blacklisted, or blocked from sending emails, by several companies that provide spam control services.
“Spammers aren’t trying to figure out if it’s a real email address or not,” said Cindy Yewdall-Thackeray, senior security outreach specialist for CITES. “They’re just hoping one of them works.”
Out of the hundreds of thousands of emails spammed, only a few need to fall for the phish email for the campaign to be successful, Yewdall-Thackeray said.
The hackers are able to access emails through tools like the Illinois online directory, in addition to using randomly generated lists.
The phishing emails vary in appearance and type of information requested. One of the most recent phishing emails sent to illinois.edu addresses appeared to be from Barclays bank and asked users for sensitive banking information.
Ross Wolf, a senior in Engineering, said having passwords that are different and complex won’t guarantee safety for a person’s account, but it helps. Wolf interned over the summer for MITRE, a non-profit organization that conducts cyber security research for the government.
Hackers guess different combinations of commonly used words in passwords, a method often referred to as a dictionary attack. Wolf said this is why it is important to vary passwords by using capital and lowercase letters, symbols and numbers.
He also said not reusing passwords across accounts is another layer of protection users can add.
“Don’t reuse passwords for accounts, particularly any that have sensitive information,” Wolf said.
Users who have multiple accounts may have trouble remembering a lot of different passwords for each account. To help with this, Wolf said people can either practice typing it multiple times or can make a password out of a sentence.
He suggested using a sentence such as “four Horses walked in to a bar and ordered Beer,” because 4Hwi2ab&oB would be an effective password and not difficult for the user to remember.
No matter how complex the password is, Mertz said people should not be so quick to give sensitive information away.
“People should be guarding their passwords much more closely than they are right now,” he said.
Janelle can be reached at firstname.lastname@example.org.