Internet scam breaches university's e-mail system

Officials warn affected persons to change passwords immediately

By: Christopher Barrett

Posted: 1/29/08

1/29/08 - University of Rhode Island administrators are scrambling to warn university e-mail users that a recent message asking for their password is a scam.

The e-mails arrived Friday evening to some student, faculty and staff accounts. The message carried the subject line "Confirm Your E-mail Address" and stated, "To complete your URI account, you must reply to this email immediately and enter your password here (*********)."

That, Help Desk Manager Mary Fetherston said yesterday, is a veiled attempt by unknown hackers to gain unauthorized entry into university e-mail system. And because other systems, such as e-Campus and WebCT, often use the same password, compromising the e-mail system could allow hackers wide entry over victims' university accounts. By entering university databases hackers can skim names, addresses, Social Security numbers and other information, enough data to assume the identity of an unsuspecting victim.

In addition, Fetherston said because many Web sites will e-mail a user a forgotten password, gaining access to e-mail could allow entry to an assortment of sites including online banking.

Fetherston said it's unclear how many university students and employees fell for the scam, but for now is urging anyone that replied to the message to change his or her passwords immediately. Users who clicked the link provided in the e-mail were not affected, as the link pointed to the legitimate URI Webmail login page.

"We don't know how many got out," she said. "We got about 30 calls and e-mails from the Help Desk Sunday, which is a good amount."

Fetherston said an attentive graduate student, Allison Mitchell, working at the Help Desk saw the e-mail Saturday morning and sounded the alarm.

"It's called a 'spear fishing' scheme," Fetherston said. "It's highly targeted and it looks authentic so it sucks people in. Luckily, because of this grad student's quick action, we got the security alert out."

On Sunday, Fetherston sent an e-mail to the URI Newsline listserv warning URI e-mail users the message was a scam. The university also blocked the Hotmail and SigNet accounts that sent the message and instituted security measures that prevented users from replying to the message.

As of yesterday the Help Desk said two users had replied to the message before administrators blocked the reply capability. Network administrators locked their accounts until the passwords can be reset.

Campus Police Maj. Stephen Baker said it was unclear if the e-mail was related to the recent thefts of university employees' identify but officials were investigating.

"I don't know if there's any relationship," Baker said, warning that another e-mail scam promising a fictitious tax refund in return for personal information is also making the rounds to URI accounts.

The URI password scam comes on the heels of an almost identical message sent to University of Cincinnati e-mail users during the weekend, raising the possibility of the scam being a concentrated effort by a team of skilled hackers.

The attempt to gain passwords follows a general rise in what is known as "phishing," or trying to lead victims into voluntarily giving up personal information under the guise of being from a legitimate, trusted company.

The FBI has been warning computer users of such scams for years, stretching back to a 2003 press release where Jana Monroe, assistant director of the agency's Cyber Division, said spoofing and phishing scams were on the rise.

"Bogus e-mails that try to trick customers into giving out personal information are the hottest, and most troubling, new scam on the Internet," Monroe said.

Research firm Gartner, Inc. found that 3.6 million Americans lost more than $3.2 billion by falling for such scams in the 12 months preceding August 2007. The study also warned that criminals were increasingly going after debit card numbers that come with traditionally weaker protections than credit cards. The firm predicated such scams will continue to increase during the next two years because they are lucrative for the attackers.

And because the Internet is global, tracking down the perpetrators can be difficult, if not impossible, Baker said. And if and when the e-mail senders are identified, jurisdiction, extradition and other legal concerns often mean such scammers are rarely, if ever, brought to trial.

Fetherston said the best protection is prevention and urged e-mail users to use different passwords for different sites and be weary of messages that claim to be confirming account status.

"We would never ask you to give us your username and password," Fetherston said.