Scam seeks personal information of students
Bill Brink | Friday, April 18, 2008
The Office of Information Technology (OIT) recently informed students of an e-mail scam that has attempted to obtain students’ personal information.
The scam, known as “phishing,” works by sending out an e-mail designed to replicate an e-mail from OIT asking for students to enter their passwords, said Gary Dobbins, OIT Director of Information Security.
“The latest round has changed to asking for passwords under the guise of deleting [the student] e-mail account if you don’t supply it to them,” Dobbins said.
Once the creators of the false e-mails get a student’s password, Dobbins said, they use the account to send out massive amounts of spam.
“As organizations get better at fighting sources of spam, spammers get better at using legitimate sources,” Dobbins said.
Formerly, it was possible for spammers to send such e-mails from home PCs, Dobbins said. Now, however, internet access companies are enacting stricter rules about usage so spammers have to resort to using other people’s accounts.
Dobbins said OIT did not know specific information about whether Notre Dame students had fallen victim to the false e-mails. Students at other colleges have had their accounts used for spam, he said.
“As soon as a student [at another school] would send credentials back believing mail, the account sends out large amounts of spam mail,” Dobbins said. “We can tell that someone has responded to a phishing attack in some cases, but can’t tell what they said. Anecdotal reports sometimes say responses aren’t the response [the spammers] wanted.”
Dobbins said there are three telltale signs students can use to distinguish between real e-mail from OIT and an imposter.
The first, he said, is the fact that OIT will never ask students for personal information through e-mail, a fact proclaimed on Webmail’s home page.
“It wouldn’t make any sense,” he said. “We have it. We don’t need it for anything. We’re running the systems their password opens for them.”
The second sign, Dobbins said, is the presence of an unrealistic threat.
“We would never come out and just delete hundreds of thousand of e-mails with harsh warnings and little advance notice,” Dobbins said. “Scare tactics, for example, if you don’t do this right now, bad things will happen to you. We try to give them plenty of advance notice and a phone number and other contact info.”
The third sign is the lack of contact information, Dobbins said. Authentic OIT emails, he said, will provide students ways to contact OIT if they have questions, while the imposter e-mails do not.
Dobbins said the spammers are getting smarter, and it is becoming harder and harder to distinguish between real and fake e-mails.
“By the end of this calendar year I expect it will be really difficult to tell a real one from a fake,” he said.
Spammers, he said, will add contact information similar to that which OIT now provides.
“We’re going to have to go down to two earmarks,” he said. “A dire threat, or asking for something that if student thinks about it, we should already have or shouldn’t need.”