Scams and Unsecured malone.edu email accounts

Hello Students, Faculty, Staff, & Alumni:

This week's post is a little more serious because it pertains to several phishing emails that have made it past our filters because of mismanaged and insecure malone.edu email accounts. We are evaluating the best way to move forward so that less accounts are compromised so we can reduce the chance of our user community being scammed. 

The best way for you to prevent your account being hacked is to:

1. make sure you set up good multi-factor authentication methods for your accounts.
2. Be extremely suspicious of offers that are too good to be true or ANYTIME someone asks you to purchase things on their behalf. Scammers often ask you to buy gift cards or order equipment for them.
3. Report when you see suspicious activity. Mark it as SPAM in the web mail interface or - for faculty and staff - report suspicious emails using the orange phishing hook so that IT can review the message. You can also contact the Help Desk if you want assistance to verify a message is legitimate. DO NOT forward the message to HelpDesk. We will review it using administrative interfaces.

In the past week, we received the third instance of this particular attack. Here's the rough outline of how this particular attack works.

1) Compromised account

An account which did not yet have multifactor authentication set up had its password guessed by an attacker. In this case, it was an alumnus' account from ten years ago. The attacker set up the alumnus' MFA and logged into his account using a ToR web browser. ToR is a darkweb tool which obfuscates the user's location. We can see in our logs that the login traffic appeared to come from no less than three different countries.

How does an attacker guess a password? There are many ways, but here are a few:

1. The password is part of security breach from another site.
2. The user uses the same password on all of his or her web sign-ins.
3. The user has a pattern to their passwords. If their original password is 'BobWhite14,' then the next one they use is 'BobWhite15.' If the previous password is subject to a breach, then the attacker can guess what password might come next.
4. The user's computer/device is hacked and they store their passwords on an unsecured file on the hacked device. This would be the equivalent of saving all your passwords in the Notes app on your iPhone instead of using the password storage found in Settings. Some folks store their passwords in a Word document saved on their hard drive; this is also extremely insecure.

2) Phishing emails sent

The attacker sent out something like the following message to 240 email addresses:

The Department of Business and Technologies at Malone University is looking for research assistants who are interested in working remotely and receiving a salary of $450 per week. Students (Previous or Present Students) from any department in the university can  participate in the research. Please contact Professor Shawn Campbell as soon as possible by text (999)999-9999 with your full name, email address, year of study, and department to obtain the position description and further application requirements.

 

Best Regards.  

C/O Professor Dr. Spamislaw McPhishterson

Title: Professor of Underwater Basket Weaving, Malone University

What are the indications that this is a Phish? 

1. First red flag is that they want you to start texting them instead of replying to the email.
2. Second is that if you responded to the email then the reply comes from an entirely different email address (especially not a malone.edu email address). Once the communication leaves our systems, it cannot be easily tracked if we need to investigate it.

3) Hooked!

One or more people text the attacker or reply to the email. The attacker get the victim off of our network and systems as soon as possible to thwart any attempts at figuring out who they are. 

4) Reeling in the victim

The attacker starts to email or text the victim impersonating the professor and telling them about the internship opportunity. They tell them that they sound like a good candidate for the internship and text them the image of a check that has our name and logo on it, but is totally bogus.

Once they 'hire' the victim, they ask he or she to purchase gift cards or items which can easily be returned to a store (office supplies or non-perishable items). They instruct the victim to make the purchases and either dropship them to a location or send pictures of the cards with the pin codes scratched off. 

The victim follows instructions and places the orders. The victim tries to cash the fake check and it bounces.

More red flags:

1. Why would Malone ask an intern to use their personal account to buy stuff? We don't. We wouldn't.
2. Asking to buy or transmit gift cards are a major red flag. They are untraceable and easily sent/received with people snapping pictures.
3. Texting a picture of a check. That is not how checks work. Checks are typically printed with special magnetic ink and on paper that is copy-resistant. The bank is bogus, the signature is bogus, and they simply copied and pasted our logo on the check.

If you've fallen victim to a scheme like this

First you should file a police report immediately. While it is nearly impossible to identify the attacker and recover your funds, sometimes it can be done. Let them know all of the circumstances around the attack. 

These attacks are getting more and more sophisticated which means they are harder to detect both for humans and for computers. The appeal of easy and/or quick money has drawn many a cash-strapped student in. Don't feel ashamed such that you don't let the authorities know about it.

What did we do and what are we doing to prevent this from happening in the future?

One huge thing we are doing to prevent this from happening in the future is our implementing multifactor authentication [MFA]. Once it is set up, then attackers have a harder time taking over a malone.edu account. In this case, the alumnus did not set up his MFA yet, so once they got his password, they set it up for themselves and had full access to his account.

Google detected that it was a phishing attempt and disabled his account. Diligent community members reached out to IT and we further locked out the hacked account and pulled all instances of the email from our servers. We have no way of knowing how many people started to text the attacker, but we are aware of at least one person who did and was bilked out of their money and time.

The future of alumni accounts is in question. We have offered this service to alumni to retain their malone.edu email as long as they are actively checking it. But we are reviewing whether to continue to offer the service in lieu of folks who may not be managing their alumni accounts well. More to come on this front and be sure to send us feedback through helpdesk@malone.edu if you have thoughts.

image credit: https://www.publicdomainpictures.net/en/view-image.php?image=240518&picture=scam