Forgot your password?
typodupeerror
Security IT

Notification of Server Breach Mistaken For Phishing Email 65

Posted by samzenpus
from the it's-not-what-you-say-but-how-you-say-it dept.
netbuzz writes "Educause members and 7,000 university websites are being forced to change account passwords after a security breach involving the organization's .edu domain server. However, some initially hesitated to comply because the Educause notification email bore tell-tale markings of a phishing attempt. 'Given what is known about phishing and user behavior, this was bad form,' says Gene Spafford, a Purdue University computer science professor and security expert. 'For an education-oriented organization to do this is particularly troubling.'"
This discussion has been archived. No new comments can be posted.

Notification of Server Breach Mistaken For Phishing Email

Comments Filter:
  • Re:Trivial (Score:5, Insightful)

    by MrMickS (568778) on Thursday February 21, 2013 @06:09AM (#42964809) Homepage Journal

    True but by including links in the email it raises suspicion on the validity of the email. This is not dissimilar to the recent email sent from Twitter regarding accounts being compromised.

    A better approach is to provide information in the email indicating that people should visit the website to change their password, but not include a link, then place confirmation of the issue on the website landing page so as to confirm that the threat is real.

  • Re:Trivial (Score:5, Insightful)

    by wvmarle (1070040) on Thursday February 21, 2013 @08:16AM (#42965383)

    When I get such mails that I suspect of being a phishing attempt (and as almost anyone on this planet, I'm receiving at least several of those every single day), I ignore them. The mail in question I'd likely have ignored for that exact reason: suspected phishing, ignored and forgotten by the time my finger has left the button.

    Most of the phishing mails that I receive purport to be of services I've no connection with (I don't have a hotmail or yahoo mail account, for example). They're easy. Others pretend to be from sites where I do have connection with (e.g. gmail), they're harder to distinguish but it's rather safe to assume they're fake, too. Only when I read about a breach on an independent site, like /. indeed (which I trust as in not being related to phishers), then it'd be time for action. If I were to follow your advice, and go to the web site the phishing mail pretends to come from, I'd spend my whole day changing e-mail passwords.

    The only mails that I'd recognise as real, would be if they use my complete name, preferably including middle name, when addressing me. Not "dear e-mail user", not "dear wvmarle@gmail.com" or "dear wvmarle". PayPal for example is doing that very well, and that's so far the only way I would believe those mails to be real. And still I'd not use a link provided in those mails, just to be sure.

  • Re:Trivial (Score:4, Insightful)

    by Anonymous Coward on Thursday February 21, 2013 @08:35AM (#42965497)

    Or if you think your software is up to date, and your plugins are click to play, just click the link and then check if the domain name is correct.

    Riiiiight. If your Java software was up-to-date then you're only looking at a dozen or so zero-day exploits that can slip right past your 'up-to-date' plugins. Or how about the Adobe Reader zero-day that Adobe recommends turning on protected mode for everything until they fix it. That software is up-to-date as well.

    If you want to copy & paste a link, do it into NotePad and not a browser. Why play chicken? If you're already suspicious then be smart instead of trying to outsmart the phishers.

    BTW, if you're counting on your up-to-date plugins to stop things, you'll be not-so-pleasantly-surprised when the zero-days are fixed and the A/V companies have something new to look for. If the plugin vendor doesn't know about the hole then it's doubtful that the A/V companies know about it either.

  • by swm (171547) * <swmcd@world.std.com> on Thursday February 21, 2013 @10:56AM (#42966853) Homepage

    Occasionally, one of my banks or health care orgs calls me on some (legitimate) business.
    The first thing they do is ask me for my identifying info (SSN, birthdate, etc).
    See, their security and privacy regs require them to verify my identity.
    I always refuse, and try to explain the problem to them.

    In the early days (going back maybe 5 years),
    they had no idea what I was talking about,
    and I could not get them to understand the problem.

    Eventually, some of them understood that they had a problem.
    But their understanding of the problem was that some of their customers wouldn't talk to them,
    which meant that they couldn't complete the business at hand,
    which mattered to them (or else they wouldn't have initiated the call in the first place).
    Their solution?
    Offer me a call-back number, so that I can call them instead.
    Because, see, if I initiate the call, then they must be who they say they are, right? Right?

    Just once in the last year, I had a bank that really understood the problem.
    When I balked, they allowed that I could call back in on the customer service number *on my credit card*.
    So I did.
    From the reactions of the people who answered,
    I got the impression that few of their customers do this.

1 Dog Pound = 16 oz. of Alpo

Working...