News  Universities make ideal target for spammers

Hacked accounts can send thousands of spam emails at a time

WINNIPEG (CUP) – Universities across the world are facing a slew of phishing scams. Both students and staff have fallen victim to spammers who trick them into divulging personal information, including university web mail user names and passwords.

Steve Hillman, an information technology (IT) architect at Simon Fraser University (SFU), described phishing as an attempt to get persons’ online ID and passwords to access their systems that can take on different forms. He said that universities are often the targets of phishing operations because they usually have vast email systems, large data pipes, and little restrictions on outbound mail, and thus can send out thousands of messages very quickly.

“Banking [phishing scams] go after baking accounts and passwords…same with credit cards. With universities in general, they’re just after your email account so that they can then use your email account to send out spam. They can tailor the message to be relatively generic but to the average student and even staff, it looks official enough that they will be duped into responding to it,” Hillman said. “On a particular phishing blast, they might get half a dozen or a dozen replies that are legitimate and then they’ll sit on them for a while, up to many months, and then they’ll send out a blast of spam and then they’ll never use the account again.”

Ken De Cruyenaere, University of Manitoba (U of M) computer security co-ordinator, said phishing attempts are a daily occurrence at the U of M and that, within the past month or so, there have been a few cases where both staff and students have replied to phishing emails with their personal information.

De Cruyenaere said that sometimes within minutes the compromised account is logged into and used to send spam to thousands of web mail users.

In order to prevent mass amounts of university accounts being spammed, university IT departments have a number of measures put in place, including spam filters and limits on the number of emails an account can send out in a certain time period.

“We have spam bulk mail filtering and if something looks like bulk mail, we let the first 99 get delivered and then we start blocking it after that,” De Cruyenaere said. “If it’s coming from a University of Manitoba account then there is no blocking. That’s why it gets painful if a university account starts spamming the university. It gets sent to potentially thousands of U of M IDs instead of just 100.”

De Cruyenaere said that web mail accounts cannot send more than a certain number of emails – a number he did not want to specify – in an hour or it is temporarily blocked, at which point steps are taken to determine whether the emails are legitimate or not.

“Most of the time it turns out to be some broken account that’s logged in from Nigeria, usually,” he said, adding that an account is shut down once it is confirmed that it is spamming.

Hillman says that when SFU introduced a new emailing system, there was no mechanism in place to restrict the number of emails sent per day.

During this time, a number of email accounts were compromised and without restrictions in place, sent enough spam to lead the university to being blacklisted.

According to Hillman, there are a number of sites on the Internet that monitor for spam being sent out. If these sites detect too much spam from a particular source, it is put on a list as an undependable source of mail. Other email hosts can choose to follow this “blacklist” and if they receive mail from any of the listed sites, they can choose to reject it.

“In one case, we were blacklisted from Hotmail, which actually set up lots of nasty email loops…. It took us several days to clean that mess up and for a while there were a lot of people not receiving their mail,” said Hillman, but since limits on emails sent were put in place, the university has not been blacklisted.

Hillman noted that this week, a phishing message was sent to SFU that instead of asking people to respond by email, directed them to a web site to log in.

“Luckily the web site didn’t look like our own centralized authentication site so it was relatively easy to tell it was a phishing attempt,” he said.

Hillman said that other universities have reported phishing messages that have directed users to more convincing university login pages, making it even more difficult for an unsuspecting user.

De Cruyenaere said that no legitimate organization would ask for your username and password.

According to Hillman, phishing schemes are so widespread that “pretty much every university has had to deal with it in one way or another.”

“It’s a booming market, it’s well organized, and in many cases it’s several steps ahead of the security experts who are trying to crack down on it,” Hillman said. “It’s one of those things like spam itself. It’s just a part of doing business on the Internet.”