Return to Main Menu
Beware: in cyberspace, sharks go
by George Spain
for Academic and Research Computing
A recent attack from foreign shores reminds us there’s no safe harbor
from today’s pirates.
MUSC was the most recent target of a sophisticated e-mail attack that
has been threatening universities around the world since the beginning
of the year. These attacks are called ‘phishing’ and roll in like a
cyber tsunami. The source of the latest attacks has been traced to
Nigeria where cyber crime is a major growth industry.
In a typical attack, several thousand e-mails are slipped past MUSC’s
computer security defenses, and university e-mail users are flooded
with requests for sensitive information about their accounts. Wordings
have varied a little, but all of the messages asked for computer
passwords, date of birth, etc.; and have threatened to shut off
accounts of those who did not reply.
“The e-mails are not terribly sophisticated, but they prey on users’
emotions, and unwary users can be caught off-guard,” said Richard
Gadsden, in MUSC’s Information Security Office. “Although our defenses
are able to block many of the e-mail attacks, the criminals are
persistent and clever. If they work hard enough, they can eventually
craft a batch of e-mails that will get past our border defenses.”
Since the attack came in the middle of the night, it was hours before
countermeasures could be taken.
Paul Arrington, Information Services e-mail administrator, blocked the
source of the incoming mail. Then, he had to find out how many people
may have responded to these phony requests for information. Any account
that showed a response was immediately disconnected.
“There’s no way at first to know what the response might have been,”
said Arrington. “Some might have been ‘out of office’ replies, some
might have been angry retorts to the spammers, and some might have
actually given the requested data. After I blocked the outgoing
responses, I could read what people who had responded had written.
Before then, I couldn’t know.”
Any response at all had to be considered a breach and the account had
to be disabled. Arrington informed the Help Desk, which then tried to
contact those who responded. Responders had to go through the NetID
process again, including changing their passwords and challenge
Arrington estimated some 40 people responded and after investigation,
he estimated that one or two had actually supplied the sensitive
Days after the attack, Arrington and Gadsden went back over the details
and drew a few conclusions:
- Automatic ‘out of office’ responses have proved to be a
huge problem. “All they do is let the criminals know that the address
is valid. You could say they get part of what they want when they get
any kind of response,” Gadsden said.
- Same for those who respond angrily to the spammers. “It
might give you a few minutes of good feeling to vent at the spammers,
but again, it only lets them know they’ve hit a valid address...one
that will go into their books,” Arrington said.
- While the number of people who fell for the scam was low,
“it only takes one response to create a gaping hole in the network
defense. Within seconds of getting a response, the spammers can login
as a legitimate user and begin to dig holes for others to crawl
through,” Gadsden said.
“We say it over and over and there is some indication that the word is
getting through; we will never ask for your password in any e-mail
correspondence. We understand that in some cases it’s expedient for a
technician to ask for a password to check into a user’s account to help
solve a specific problem...but I think this is a dangerous practice.
You should never give your password to anyone. Period,” Gadsden said.
- The holes get deep, fast. “A spammer can login and change
the user’s challenge questions. That way, even if the breach is caught
and the password changed, the spammer has a way to change it back.
That’s why we always require users to pick another series of challenge
responses,” Arrington said.
Friday, April 18, 2008
Catalyst Online is published weekly,
as needed and improved from time to time by the MUSC Office of Public
for the faculty, employees and students of the Medical University of
Carolina. Catalyst Online editor, Kim Draughn, can be reached at
or by email, email@example.com. Editorial copy can be submitted to
Online and to The Catalyst in print by fax, 792-6723, or by email to
firstname.lastname@example.org. To place an ad in The Catalyst hardcopy, call Island
Publications at 849-1778, ext. 201.