MUSC Medical Links Charleston Links Archives Medical Educator Speakers Bureau Seminars and Events Research Studies Research Grants Catalyst PDF File Community Happenings Campus News

Return to Main Menu

Beware: in cyberspace, sharks go ‘phishing’

by George Spain
Center for Academic and Research Computing
A recent attack from foreign shores reminds us there’s no safe harbor from today’s pirates.
MUSC was the most recent target of a sophisticated e-mail attack that has been threatening universities around the world since the beginning of the year. These attacks are called ‘phishing’ and roll in like a cyber tsunami. The source of the latest attacks has been traced to Nigeria where cyber crime is a major growth industry.
In a typical attack, several thousand e-mails are slipped past MUSC’s computer security defenses, and university e-mail users are flooded with requests for sensitive information about their accounts. Wordings have varied a little, but all of the messages asked for computer passwords, date of birth, etc.; and have threatened to shut off accounts of those who did not reply.
“The e-mails are not terribly sophisticated, but they prey on users’ emotions, and unwary users can be caught off-guard,” said Richard Gadsden, in MUSC’s Information Security Office. “Although our defenses are able to block many of the e-mail attacks, the criminals are persistent and clever. If they work hard enough, they can eventually craft a batch of e-mails that will get past our border defenses.”
Since the attack came in the middle of the night, it was hours before countermeasures could be taken.
Paul Arrington, Information Services e-mail administrator, blocked the source of the incoming mail. Then, he had to find out how many people may have responded to these phony requests for information. Any account that showed a response was immediately disconnected.
“There’s no way at first to know what the response might have been,” said Arrington. “Some might have been ‘out of office’ replies, some might have been angry retorts to the spammers, and some might have actually given the requested data. After I blocked the outgoing responses, I could read what people who had responded had written. Before then, I couldn’t know.”
Any response at all had to be considered a breach and the account had to be disabled. Arrington informed the Help Desk, which then tried to contact those who responded. Responders had to go through the NetID process again, including changing their passwords and challenge questions.
Arrington estimated some 40 people responded and after investigation, he estimated that one or two had actually supplied the sensitive information.
Days after the attack, Arrington and Gadsden went back over the details and drew a few conclusions:
  • Automatic ‘out of office’ responses have proved to be a huge problem. “All they do is let the criminals know that the address is valid. You could say they get part of what they want when they get any kind of response,” Gadsden said.
  • Same for those who respond angrily to the spammers. “It might give you a few minutes of good feeling to vent at the spammers, but again, it only lets them know they’ve hit a valid that will go into their books,” Arrington said.
  • While the number of people who fell for the scam was low, “it only takes one response to create a gaping hole in the network defense. Within seconds of getting a response, the spammers can login as a legitimate user and begin to dig holes for others to crawl through,” Gadsden said.
  • The holes get deep, fast. “A spammer can login and change the user’s challenge questions. That way, even if the breach is caught and the password changed, the spammer has a way to change it back. That’s why we always require users to pick another series of challenge responses,” Arrington said.
“We say it over and over and there is some indication that the word is getting through; we will never ask for your password in any e-mail correspondence. We understand that in some cases it’s expedient for a technician to ask for a password to check into a user’s account to help solve a specific problem...but I think this is a dangerous practice. You should never give your password to anyone. Period,” Gadsden said.


Friday, April 18, 2008
Catalyst Online is published weekly, updated as needed and improved from time to time by the MUSC Office of Public Relations for the faculty, employees and students of the Medical University of South Carolina. Catalyst Online editor, Kim Draughn, can be reached at 792-4107 or by email, Editorial copy can be submitted to Catalyst Online and to The Catalyst in print by fax, 792-6723, or by email to To place an ad in The Catalyst hardcopy, call Island Publications at 849-1778, ext. 201.