Wired Campus: At Least 86 Campuses Have Been Hit in E-Mail 'Phishing' Scam

Search The Site

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Resource Center

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities

Get the latest headlines each day:
Wired Campus e-newsletter | RSS

In the Comments

The admissions folks at my public university report that they regularly see prospective student email addresses like beerbashbabe@___ . And the parents know — in some cases it’s Mom or Dad who writes the email address on the form at the open house. --drj50

Dear Students With Unprofessional E-Mail Handles: Your Professors Notice

<script language="JavaScript1.1" src="http://ad.doubleclick.net/adj/wiredblog.che/;abr=!ie;abr=!aol;sz=250x250,300x250;ord=?"> </script> <noscript> <a href="http://ad.doubleclick.net/jump/wiredblog.che/;abr=!ie;abr=!aol;sz=250x250,300x250;ord=?"><img src="http://ad.doubleclick.net/ad/wiredblog.che/;abr=!ie;abr=!aol;sz=250x250,300x250;ord=?" width="300" height="250" border="0"></a> </noscript>

Wired Campus Writers

Josh Fischman
Internet issues, new technology, security, computing

Jeffrey R. Young
video, audio, and how technology is changing scholarship and teaching

Need more tech news?
Read our complete IT section.

Categories

April 9, 2008

At Least 86 Campuses Have Been Hit in E-Mail 'Phishing' Scam

An informal survey conducted this week on an e-mail list for campus computer-security administrators showed that at least 86 campuses have been hit in an e-mail scam aimed at colleges.

As we reported last week, malicious hackers are sending e-mail messages to students, professors, and staff members at colleges around the country that seek to trick them into giving away their college-network password and other personal information. The approach is known as “phishing,” and until recently the most common targets were online banking and payment services rather than college networks.

Douglas Pearson, technical director of the Research and Education Networking Information Sharing and Analysis Center at Indiana University at Bloomington, polled members of the center’s e-mail list about the phishing scheme at the request of The Chronicle. About 250 colleges are represented on the e-mail list, he said, and about 107 replied to the survey.

Most of the respondents reported seeing the scam messages on their networks. “Of those sites that received the phish, 61 reported that someone at the institution fell for the attack, 9 reported no, and 16 reported unknown,” wrote Mr. Pearson in an e-mail interview. At campuses where users fell for the trick, 42 reported that the passwords were used to break into the campus network.

The source of the messages is unclear, though some officials have been trying to track down the culprits. “A good number of the attacks appear to be from a common source,” said Mr. Pearson. —Jeffrey R. Young

Posted on Wednesday April 9, 2008 | Permalink |

Comments

For at least this next generation, college will be the first time some people are introduced to email, as as long as there is a steady supply of people new to email, there will be a steady supply of people falling for this stuff. Our school ended up on some RBLs, causing companies such as Hotmail and Yahoo to reject email from us.

I think they should revoke the internet and email access of the people who responded to the scam until they can prove that they know how to behave without putting the whole community at risk. Second offenses should require them to repay the university for the overtime the sysadmins have to put in.

— Mr. Gunn Apr 10, 06:05 PM #
Though there is no doubt that people who respond to phishing emails are neglectful, to punish them by withholding access to the internet and email networks is over the top. The modern college campus practically requires email and internet access. What you are proposing, Mr. Gunn, amounts to a serious sanction that could cause a student’s GPA to be seriously damaged. Let’s go after the real culprits, not naive people who were misled.

— Mr. Stevenson Apr 10, 06:41 PM #
Maybe an idea to minimize the number of people falling for phishing scams is for university system admin to perform “fire drills” that go something like this: the university sends out what looks like phishing e-mails. For the few who naively respond to this e-mail, the responders receive an e-mail from the university telling them that they fell for the “phishing scam” and provide information that will help educate them on how not to fall for it again.

— G Apr 10, 07:37 PM #
—G has the right idea. What is education without a test.

— arv Apr 11, 10:08 AM #
We can blame users and we can educate users – but the fact is in a large population there is always be a few people who fall for this. If universities are being blacklisted it is because this individual user failure has been leveraged into a system failure. So the onus is on the university to have controls to prevent this escalation. There are controls available to universities to prevent the university mail system from becoming a source of spam or phishing. That is where action needs to be taken.

— Bev K Apr 17, 12:58 PM #
i can,t login to my email

— rosemary green Apr 20, 04:01 PM #

Commenting is closed for this article.

Previous: Should a Facebook Poster Be Liable for a Party That Became a Riot?
Next: U. of Houston Study: Students in 'Hybrid' Course Got Better Grades

Home | Chronicle Careers | The Chronicle Review