Slashdot Mirror
Notification of Server Breach Mistaken For Phishing Email
netbuzz writes "Educause members and 7,000 university websites are being forced to change account passwords after a security breach involving the organization's .edu domain server. However, some initially hesitated to comply because the Educause notification email bore tell-tale markings of a phishing attempt. 'Given what is known about phishing and user behavior, this was bad form,' says Gene Spafford, a Purdue University computer science professor and security expert. 'For an education-oriented organization to do this is particularly troubling.'"
Gene sounds like someone who ignored the email.
Email issued by a university vice-president. Not surprised he doesn't know anything about common email frauds. He probably verbally dictated it to a secretary who took notes in shorthand and later typed it into the computer. The email has no spelling errors, a dead giveaway. What's his email address? I think a prince from Nigeria may have some good news for him soon...
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Just ignore the links in the email, go to the website you know to be real, and change your password.
I recently see a flood of phishing mails from users of utsa.edu
Are those accounts compromised like mentioned in the article?
utsa.edu outsourced their mail to Microsoft, but Microsoft refuses to handle abuse reports on that domain, claiming "it is not a Microsoft domain".
But it is run on Microsoft servers (messaging.microsoft.com, bigfish.com aka bigphish.com)
Even the pros get it wrong - the latest email concerning a UK-based challenge relating to cyber security to its participants is from domain A, sent through a server in domain B, has a 'from' address in domain C, a 'reply-to' address in domain D, and contains hrefs to domain E where the visible text says domain A. The best bit is that it is (effectively) asking for money.
I'm not a participant any more, and haven't even logged in for a very long time - not since the first of their update emails came through, from a previously unmentioned third party (operating domains B, C and D) with the aforementioned phishing-style format. Anyone still actively in the competition who has not raised serious questions about all these extra third-parties (and especially if they clicked the links in the emails) should have been disqualified long ago - and yet they will be the ones taken as 'top people'. Yay for The System...
Major bank here.
We received an email about mandatory IT risk training.
- With those who hadn't participated yet in cc. (hundreds)
- With a link to an outside domain. (xyzlearning.com instead of xyz.com)
- With our password in the plain body of the email '12345678'
It was real. I forwarded it to the 'phishing attempts'-mailbox, but never got an answer.
Something I really don't understand is that in an organisation with so much brains, higher degrees, experience..., there is even more stupidity.
And I have the feeling it is getting worse and worse.
Or dumb user! Read the email, if it sounds like it might be legit and your unsure then call the company. However being that you probably never get this email from them you can assume it's safe.
We got one of these notices at our university. After trying to determine if the message was spam we decided it was likely real, but suspicious due to the link to a 3rd party website that redirected to educause to reset the password. I ended up going to their website and calling the number they listed there (which was different from the one given in the email) just to verify that the email was legitimate before we entered information into the webform.
I want users to be suspicious and skeptical of emails with strange links. I want them to not completely trust emails that purport to be from their system administrator.
In other words, the portion that didn't immediately follow the email's instructions are to be praised, not harangued.
I am officially gone from
I work at an organization that is a member of EDUCAUSE. I received the email in question. I can honestly say that the person that came up with an idea to send out the notification from their marketing company instead of EDUCAUSE themselves should be thinking long and hard about finding a consultant for situations that involve common sense. DO NOT send out emails of the utmost importance and use the same tactics that spammers and scammers use. I would think for an institution involved in higher education, they could have done way better than that. The email looked real enough, much like some spam, but the links not pointing to information on the EDUCAUSE website set off my BS detector as well as many others. None of us clicked on them, but we did call to alert them. I only hope that in the future the EDUCAUSE people learn from this and raise the bar for communicating to their members more professionally. Wise men learn from their mistakes, even wiser men learn from the mistakes OF OTHER PEOPLE.
Occasionally, one of my banks or health care orgs calls me on some (legitimate) business.
The first thing they do is ask me for my identifying info (SSN, birthdate, etc).
See, their security and privacy regs require them to verify my identity.
I always refuse, and try to explain the problem to them.
In the early days (going back maybe 5 years),
they had no idea what I was talking about,
and I could not get them to understand the problem.
Eventually, some of them understood that they had a problem.
But their understanding of the problem was that some of their customers wouldn't talk to them,
which meant that they couldn't complete the business at hand,
which mattered to them (or else they wouldn't have initiated the call in the first place).
Their solution?
Offer me a call-back number, so that I can call them instead.
Because, see, if I initiate the call, then they must be who they say they are, right? Right?
Just once in the last year, I had a bank that really understood the problem.
When I balked, they allowed that I could call back in on the customer service number *on my credit card*.
So I did.
From the reactions of the people who answered,
I got the impression that few of their customers do this.
I've received several e-mails from Paypal that were textbook phishing attempts and then all the links and the sending server are actually Paypal-owned. So they're not the only ones sending out suspicious and badly arranged e-mails.
Michael Sinatra over at seclists.org had the following to say:
This should be a lesson to all of us, since EDUCAUSE is definitely not alone here: We all do regular, legitimate business in ways that is sometimes indistinguishable from phishing, at least to regular users. That needs to stop. Email marketers and analytics junkies will not like to hear this, but we need to put an end to embedded email links that are redirected through other systems. IMO, we should put an end to *all* legitimate links in emails; instead have a business portal with all of the links to surveys, training sites, etc., and have notification emails for when new things appear on the portal. In addition, we could modify our SSO sites so that they alert users when they need to take care of something that we would normally use email for which to notify the user. Once that's done, we can assure users that we will NEVER ask them to click on a link in an email, just like we currently remind them that we never ask them for passwords.
If that is "too hard" and/or the analytics stuff is "too valuable" then we need to simply accept the risk that our users will get caught in phishing attacks. The bad guys have figured out that it is very easy to mimic our business practices, and they have gotten very good at doing it. Unless we change those practices, they will find us to be easy pickings.
So... this story is about an e-mail which allegedly resembled a phishing attempt.
Yet TFA doesn't include the text of the e-mail...
BRILLIANT!
A couple months ago I was informed, in an email that had absolutely every telltale sign of being a phish (other than mispellings, I suppose; it was written in proper English), that someone had probably stolen my card, and I should click on this link if I agreed, or this other one if I had made the charges. The links didn't go to the bank's site. I almost threw it away.
It was a legitimate email; my card had actually been stolen.
I emailed their phishing department with a copy of it, and a pointed "this looks like a phish. I know it's legitimate, but here are all the ways it looks like it isn't. Perhaps you should rethink this email you're sending out?" Their response: "this is not a phish". Yes, I know that. I SAID that. Apparently nobody in that department can think, or read? (Fun fact: this is coming from one of the "big four" banks, according to wikipedia.)
Got the email and was confused - it was very well written, actually was overly well written. Alarm bells started ringing. Then checked the actual links on the text for 'create a new password' and they pointed to educause.[some other domain name].net All the graphics had tracking ids in the URLs which is odd for an alert email. Went to look at the educause website and no warnings of a security problem or need to reset passwords. My guess is their emailing service works great for newsletters, they need to show better links to their website. And put a message on the website confirming it
Nod32 may be good antivirus software, and perhaps the best, but when you buy something directly from their web site you get an e-mail that isn't even from eset.com but from netsuite.com spoofing eset.com, saying:
Please open the attached file to view your Cash Sale.
To view the attachment, you first need the free Adobe Acrobat Reader. If you don't have it yet, visit Adobe's Web site http://www.adobe.com/products/acrobat/readstep.html to download it.
WTF?
Another WTF is the summary here.
"[...] says Gene Spafford, a Purdue University computer science professor and security expert."
Since when did Spaf need an introduction? That's like saying "Steve Wozniak, a computer scientist and electronics engineer".
Yes, you might need that clarification if you submit articles to Vanity Fair or Reader's Digest, but here on Slashdot?
What rock did you crawl out of? "Education-oriented organizations" rank among the most incompetent with respect to anything IT, and in particular security. They're staffed not by the best and brightest in the industry but rather those that couldn't hack it in the competitive real world. They're the dross that's left over after business and the DoD have had their fill of graduates.
Two of my imaginary friends reproduced once
From: EDUCAUSE <educause@educause.edu>
Subject: Important security message about your EDUCAUSE website profile
[EDUCAUSE logo]
Dear [First Name],
We are writing to inform you of a security breach involving an EDUCAUSE server that may have compromised your EDUCAUSE website profile password. Based on our investigation to date, we do not believe that the breach included access to credit card data, financial accounts, or other sensitive information.
EDUCAUSE took immediate steps to contain this breach and we are working with Federal law enforcement, investigators, and security experts to make sure this incident is properly addressed. Additional security measures have been implemented to help prevent any future occurrences.
As a precaution, we have deactivated all EDUCAUSE website profile passwords. We request that you create a new password.
Please do not use your old password. You should create a new password that is 8 or more characters and is made up of a combination of:
at least one uppercase letter,
at least one lowercase letter,
at least one digit, and
at least one special character.
Please note that the password reset page may be slow to respond as many individuals try to access this page at once. Your old password has already been deactivated; therefore, it does not need to be changed immediately. We expect traffic to the page to decrease later today and tomorrow.
It is not necessary for InCommon account holders to update their institutional credentials because EDUCAUSE does not have access to, or store on any server, InCommon account information.
Please check the address in your browser before entering your password to be sure that you are on the EDUCAUSE website (http://www.educause.edu).
For more information about this incident, please visit the web page about this breach or contact EDUCAUSE Member Services at info@educause.edu or +1-303-449-4430.
Thank you for your understanding and patience as we work to minimize the effects of the breach.
Sincerely,
EDUCAUSE
You are receiving this message because you have an EDUCAUSE website profile.
Copyright 2013 EDUCAUSE | 282 Century Place, Suite 5000, Louisville, CO 80027
Privacy Policy | educause.edu
I went to change my TELUS PW a couple of yrs ago & the direct link on their home page to change PW's, screamed PHISHING ATTEMPT. So much so, that I did not use it. Calling Tech Support got a bored, verbal 'shrug' - indicating that's just the way it was, which was just as non-reassuring as the link to change it. Took 3 calls to get someone who cared & the deed was done over the phone, with a follow-up email response from TELUS verifying it. A 'good' security strategy from a telecommunications company: Let's warn everyone about phishing attempts, yet make our 'official' page to do so look just like a classic phishing attempt - smooth move, TELUS!