Phishing scams target Laf emails

Lafayette email accounts have been victim to multiple phishing scams over the past couple months due to Lafayette community members giving out their usernames and passwords through links in emails given by unauthorized senders.

The scams prompted Information Technology Services to send out an email informing the campus community about the hacks and urging them to change their passwords frequently to prevent themselves from being victims of more phishing scams.

“Over the past few weeks, a number of Lafayette email accounts have been ‘phished,’” an email from Vice President and Chief Information Officer John O’Keefe read. “If you receive a message asking you to submit this information to a web form, delete it immediately.”

Phishing is when a hacker entices a recipient to enter their email address and password and sometimes even account information by posing as a school or workplace’s IT help desk. They request that the user change his or her password though a link provided to the recipient. Once the hacker has the username and password, they are able to access the account to send spam.

In this case, Lafayette Zimbra accounts received emails from phishers who asked for their usernames and passwords. Once the phishers had collected enough email IDs and passwords, they went into the accounts and sent spam from those accounts.

It is unknown how many accounts were phished during the time the scams occurred.

“It appears that this is a persistent threat, where someone harvested – we don’t know how many – but a number of credentials,” Systems Administrator Nathan Lager said. “So, there must’ve been some campaign in the past, some phishing campaign, that got past our filter…now they’re coming back and using these credentials to try to do nasty things.”

The results from being phished are not immediate. Sometimes, multiple accounts’ information is collected in one sweep, but a phisher will not use some accounts for months before sending spam from them.

“They could’ve been phished three months ago, and it just happened that last week they took advantage of those accounts that they compromised,” O’Keefe said.

Once used, email providers will notice extreme email activity coming from a certain Lafayette’s server, and Lafayette’s email domain will be put on a blacklist, which prevents emails from being sent to certain other email providers. It then takes a while to get off of that blacklist.

Lafayette’s ITS has now put in place effective anticipatory measures to block outgoing messages sent by phishers from hacked Lafayette email accounts.

“We have stuff in place to stop inbound and outbound [phishing emails], but that always changes; it’s an arms race,” O’Keefe said. “We get better, they get better; so I believe we’re now in a place where we’ve made some changes that will help prevent the outbound stuff, in a way that a few weeks ago we couldn’t.”

“[It’s] only a matter of time before someone figures their way around that and then we’ll be in this boat again, because at the end of the day, when you have a credential, you have it.”

Leave a Reply

*