Office of the Vice President for Global Communications

Friday, March 12, 2010

Phishing attack aimed at university e-mail accounts

A new type of sophisticated — and convincing — malicious e-mail attack has targeted university accounts.

Anti-phishing assistance

The university offers guidance for faculty and staff who create e-mails that include links to forms or Web sites that ask for personal information (surveys, for example).
Click here for guidelines that
demonstrate better e-mail security practices.
Click here to view a sample of the phishing message sent to some U-M e-mail accounts.

Twice this academic year (Oct. 29 and Feb. 8) some U-M e-mail users have received a message that includes a logo associated with a real, although former, U-M organization. Known as phishing, such attacks are employed by scammers in an attempt to gather personal information from users.

Anyone receiving an e-mail that looks suspicious is asked to go to safecomputing.umich.edu/main/phishing_alerts/ for the latest list of phishing messages sent to university e-mail accounts, or contact useradvocate@umich.edu.

“This message attracted responses from at least 30 users and possibly others we don’t know about. We contacted those we could identify to alert them it was a scam,” says Will Rhee, one of the university’s user advocates. “Not everyone who responded gave away their real password.”

Besides using the old Information Technology Central Services logo, this e-mail also employed a convincing re-direction: any user who did click the link was directed to an exact duplication of U-M’s authentication page. After entering a username and password — which was captured — the user was then redirected to U-M’s real page, as though the information had perhaps been mistyped.

This latest attack demonstrates how cyber-criminals are looking for fresh and new ways to scam users, Information and Technology Services officials say.

“We can’t say it enough — users must be careful about what they click on,” Rhee says. “Some people may feel like they don’t have much of value to protect in their e-mail, file space, or on their personal computer. However, stolen passwords are valuable because they are used to leverage U-M computing resources to facilitate crimes.

“Your uniqname and password unlock access to networked resources that criminals want (e-mail, storage, network bandwidth, central processing unit, etc.) in order to be able to commit crimes and obfuscate who is responsible.”

According to the February RSA Online Fraud Report, phishing attacks against public colleges and universities have increased in 2010 compared with 2009.

The report suggests that student accounts are widely targeted because, “Compromised webmail accounts may give phishers another foothold in students’ personal computers, since compared with other unsolicited e-mail content, spam e-mails would gain credibility when coming from peers, especially if messages are sent from a university webmail address.”