E-mail traffic from the “stthomas.edu” domain was blacklisted on Wednesday, Dec. 9, by several major Internet e-mail services as a result of compromised UST NetID accounts being used to relay “spam” messages.
The accounts were compromised after receiving a very sophisticated “phishing” attempt message that looked like a link to an actual UST Web application, Portal. The link, however, actually redirected anyone who clicked on it to a Web page in a domain named “svc065.wic022v.server-web,” which turned out to have been hosted in Australia. Although the page the link pointed to was an identical copy of the Portal front page, the “Username (NetID)” and “Password” fields were used to capture and compromise the account information of anyone who thought they were logging in. Once the phishing attempt was recognized, IRT blocked all on-campus Internet traffic to the actual Web site provided in the message. At least five UST NetID accounts, and as many as 10, were compromised resulting in the affected UST e-mail accounts being used to send a tremendous amount of spam and the subsequent blacklisting by services such as Comcast, America Online (AOL), and Hotmail.
Unfortunately, the services that blacklisted UST e-mail do not retain messages that have been identified as spam; consequently, when legitimate messages have been blocked, the only way to ensure that they are eventually received by the intended parties is to resend them after the blacklisting restrictions have been lifted; however, if messages are repeatedly resent before the restriction is lifted, it may appear to the e-mail services as further instances of spam and the blacklisting may be prolonged.
In cases like this, IRT e-mail administrators work closely with the Internet e-mail service providers to ease the blacklisting restrictions, but each service handles these occurrences in slightly different ways. Some services will accept direct communication from UST, and will ease the restrictions once they are confident that the compromised accounts are no longer a threat. Other services will lift the restrictions only after they are no longer detecting or receiving complaints of spam coming from UST addresses. Updates on the status of blacklisting as the result of the attack on Dec. 9 can be found on the IRT Alerts page.
Phishing attempts are not only are becoming more sophisticated but also are more easily disguised by legitimate features within the current e-mail environment at UST. The increased use of mobile devices, forwarding rules to non-UST e-mail addresses, and even applications such as “Evite” all contribute to higher amounts of e-mail traffic that appear to be from legitimate UST e-mail addresses but, in reality, are from e-mail providers or systems addresses outside of UST. “Spammers” and “phishers” use these same techniques to make their messages appear to be from legitimate UST e-mail addresses.
In addition to copying the graphics of the Portal front page, the phishing attempt on Dec. 9 also was unique in that it was very brief. The message contained only the phrase “Attention Member, please click on below link to update your E-mail account,” along with the bogus link to Portal. Many other phishing attempts are easily identified due to their wordiness and numerous grammatical and spelling errors.
A common threat within phishing attempts is that “accounts will be deactivated” unless the phishing attempt is responded to with a valid username and password. Knowing the actual UST policy for deactivating accounts can protect you from phishing attempts of this nature. It is not within UST’s normal business process to “de-activate” accounts for current faculty, staff or students, and the exact account expiration and purge process is detailed on this IRT Web page.
Knowing how UST technology and account systems work actually is one of the surest ways to protect yourself against all spam and phishing attempts. IRT does not have a legitimate need to ask UST Net ID account holders for an update, as this information is automatically updated through the Murphy online system; furthermore, always be leery of an e-mail that appears to be from IRT but is not signed by an employee who can be verified as working at UST. Many phishing attacks against UST are simply signed with generic terms such as “Your Tech Team” or “The IT Staff.”
More information on spam and phishing can be found on this IRT Web page.