Notification of Server Breach Mistaken For Phishing Email 65
netbuzz writes "Educause members and 7,000 university websites are being forced to change account passwords after a security breach involving the organization's .edu domain server. However, some initially hesitated to comply because the Educause notification email bore tell-tale markings of a phishing attempt. 'Given what is known about phishing and user behavior, this was bad form,' says Gene Spafford, a Purdue University computer science professor and security expert. 'For an education-oriented organization to do this is particularly troubling.'"
Idiocy at the top...zzz... (Score:2)
Re: (Score:1)
'For an education-oriented organization to do this is particularly troubling.'"
It has always been my experience that universities' IT departments are almost universally clueless. In fact, their level of cluelessness rivals and outstrips that of many banks. My (maybe just slightly cynical) assumption is that these colleges only employ their own graduates...
Re: (Score:2)
It has always been my experience that universities' IT departments are almost universally clueless. In fact, their level of cluelessness rivals and outstrips that of many banks. My (maybe just slightly cynical) assumption is that these colleges only employ their own graduates...
Then you haven't heard of PaulDotCom [pauldotcom.com]
Re: (Score:2)
The email has no spelling errors, a dead giveaway.
Wasn't there a story a while back that said the exact opposite of that? That scammers want their emails to look as poorly written as possible (among other things) so as to only attract the most gullible people?
Re: (Score:2)
" That scammers want their emails to look as poorly written as possible (among other things) so as to only attract the most gullible people?"
That might be so but people who can spell have usually more money than retards who can't.
OTOH there are far more of those... the Germans have a proverb saying: "Little beasts make manure too."
Re: (Score:2)
That's because they don't generally give it to Nigerian Princes who contact them by email.
The scammers aren't interested in wasting their time on people who will ask questions or think critically about the proposal.
Trivial (Score:2, Informative)
Just ignore the links in the email, go to the website you know to be real, and change your password.
Re:Trivial (Score:5, Insightful)
True but by including links in the email it raises suspicion on the validity of the email. This is not dissimilar to the recent email sent from Twitter regarding accounts being compromised.
A better approach is to provide information in the email indicating that people should visit the website to change their password, but not include a link, then place confirmation of the issue on the website landing page so as to confirm that the threat is real.
Re: (Score:2)
And that's how Equestria was made!
Re: (Score:1)
Just right-click the link, copy, and paste into the address line. If the domain name portion of the link is to the right website, you know that the content is controlled by the owner of the domain name (with the exception of sites which permits user-generated subpages, such as google docs).
Or if you think your software is up to date, and your plugins are click to play, just click the link and then check if the domain name is correct.
Links are too useful to not be able to use them in emails.
Re:Trivial (Score:4, Insightful)
Or if you think your software is up to date, and your plugins are click to play, just click the link and then check if the domain name is correct.
Riiiiight. If your Java software was up-to-date then you're only looking at a dozen or so zero-day exploits that can slip right past your 'up-to-date' plugins. Or how about the Adobe Reader zero-day that Adobe recommends turning on protected mode for everything until they fix it. That software is up-to-date as well.
If you want to copy & paste a link, do it into NotePad and not a browser. Why play chicken? If you're already suspicious then be smart instead of trying to outsmart the phishers.
BTW, if you're counting on your up-to-date plugins to stop things, you'll be not-so-pleasantly-surprised when the zero-days are fixed and the A/V companies have something new to look for. If the plugin vendor doesn't know about the hole then it's doubtful that the A/V companies know about it either.
Re: (Score:3)
Except that in this case the domain name portion wasn't to the "right" website, at least if the article's "the embedded link went to a third-party site with 'educause' embedded in the URL along with a sequence of meaningless characters" claim is correct.
Re: (Score:2)
The actual link you were supposed to click to change your password went to net.educause.edu. However, the other links in the email went to educause-domain.informz.net (yeah, that looks legit!).
Given the volume of phishing mails that come in of varying quality, it's only natural for there to be suspicion.
Re: (Score:2)
The best approach is for you to check the domain on the link (usually hovering over the link works fine for this), rather than expecting no links.. if you know enough to know that you don't want to use links from phishing mails, you should also be able to know how to check that the domain is correct.
Re: (Score:3, Informative)
Re: (Score:1)
Unfortunately, "legitimate" e-mail is known to use links where the href's domain is different than the link's text [apache.org].
Re: (Score:2)
Yeah, that's why I said to hover over the text. You usually get the real link in a tooltip or the status bar, depending on what browser/mail-client you're using.
Re:Trivial (Score:5, Insightful)
When I get such mails that I suspect of being a phishing attempt (and as almost anyone on this planet, I'm receiving at least several of those every single day), I ignore them. The mail in question I'd likely have ignored for that exact reason: suspected phishing, ignored and forgotten by the time my finger has left the button.
Most of the phishing mails that I receive purport to be of services I've no connection with (I don't have a hotmail or yahoo mail account, for example). They're easy. Others pretend to be from sites where I do have connection with (e.g. gmail), they're harder to distinguish but it's rather safe to assume they're fake, too. Only when I read about a breach on an independent site, like /. indeed (which I trust as in not being related to phishers), then it'd be time for action. If I were to follow your advice, and go to the web site the phishing mail pretends to come from, I'd spend my whole day changing e-mail passwords.
The only mails that I'd recognise as real, would be if they use my complete name, preferably including middle name, when addressing me. Not "dear e-mail user", not "dear wvmarle@gmail.com" or "dear wvmarle". PayPal for example is doing that very well, and that's so far the only way I would believe those mails to be real. And still I'd not use a link provided in those mails, just to be sure.
Re: (Score:2)
Re: (Score:2)
If your email address is: <firstname>.<lastname>@yourdomain.com (as many are), it isn't too difficult for the phisher to guess the first and lames.
Re: (Score:3)
Re: (Score:2)
"Just ignore the links in the email, go to the website you know to be real, and change your password."
Do you also ignore the key-logger they installed they day before sending that email to make you rush to login?
Re: (Score:1)
I don't see anything incongruous about someone physically hosting servers but not administering them. More efficient for utsa.edu to locate their servers they use in one of the big boys server farms that to run their own physical installation. But they can perfectly well keep full authority and responsibility for their domain. It should be clear who has responsibility for the domain, but it doesn't have to be the owner of the floorspace the server stands on.
Happens all the time. (Score:1)
Major bank here.
We received an email about mandatory IT risk training.
- With those who hadn't participated yet in cc. (hundreds)
- With a link to an outside domain. (xyzlearning.com instead of xyz.com)
- With our password in the plain body of the email '12345678'
It was real. I forwarded it to the 'phishing attempts'-mailbox, but never got an answer.
Something I really don't understand is that in an organisation with so much brains, higher degrees, experience..., there is even more stupidity.
And I have the feel
Bad Form? (Score:2)
Re: Bad Form? (Score:2, Offtopic)
Your = possessive pronoun. You're = contraction of you are. Not complicated.
Re: (Score:2)
Re: (Score:2)
That's not a spelling mistake, it's a grammatical mistake.
Re: (Score:2)
Re: (Score:2)
You really want me to contact gmail five times a day to verify all those mails they send me? And how to contact them anyway, other than by e-mail?
Better safe than sorry (Score:2)
Good! (Score:3)
I want users to be suspicious and skeptical of emails with strange links. I want them to not completely trust emails that purport to be from their system administrator.
In other words, the portion that didn't immediately follow the email's instructions are to be praised, not harangued.
Bad Ideas... (Score:1)
Banks and health care do it too (Score:4, Insightful)
Occasionally, one of my banks or health care orgs calls me on some (legitimate) business.
The first thing they do is ask me for my identifying info (SSN, birthdate, etc).
See, their security and privacy regs require them to verify my identity.
I always refuse, and try to explain the problem to them.
In the early days (going back maybe 5 years),
they had no idea what I was talking about,
and I could not get them to understand the problem.
Eventually, some of them understood that they had a problem.
But their understanding of the problem was that some of their customers wouldn't talk to them,
which meant that they couldn't complete the business at hand,
which mattered to them (or else they wouldn't have initiated the call in the first place).
Their solution?
Offer me a call-back number, so that I can call them instead.
Because, see, if I initiate the call, then they must be who they say they are, right? Right?
Just once in the last year, I had a bank that really understood the problem.
When I balked, they allowed that I could call back in on the customer service number *on my credit card*.
So I did.
From the reactions of the people who answered,
I got the impression that few of their customers do this.
Re: (Score:3)
I do that whenever I get a warning that my card may be compromised. I call the number on the card. If it's on security lockout the computer recognizes this and immediately routes me to the security department. (Because
Paypal does the same thing (Score:2)
And ESET (Score:2)
Nod32 may be good antivirus software, and perhaps the best, but when you buy something directly from their web site you get an e-mail that isn't even from eset.com but from netsuite.com spoofing eset.com, saying:
Please open the attached file to view your Cash Sale.
To view the attachment, you first need the free Adobe Acrobat Reader. If you don't have it yet, visit Adobe's Web site http://www.adobe.com/products/acrobat/readstep.html [adobe.com] to download it.
WTF?
Another WTF is the summary here.
"[...] says Gene Spafford, a Purdue University computer science professor and security expert."
Since when did Spaf need an introduction? That's like saying "Steve Wozniak, a computer scientist and electronics engineer".
Yes, you might need that clarification if yo
This guy at seclists.org nailed it (Score:4, Interesting)
Michael Sinatra over at seclists.org [seclists.org] had the following to say:
This should be a lesson to all of us, since EDUCAUSE is definitely not alone here: We all do regular, legitimate business in ways that is sometimes indistinguishable from phishing, at least to regular users. That needs to stop. Email marketers and analytics junkies will not like to hear this, but we need to put an end to embedded email links that are redirected through other systems. IMO, we should put an end to *all* legitimate links in emails; instead have a business portal with all of the links to surveys, training sites, etc., and have notification emails for when new things appear on the portal. In addition, we could modify our SSO sites so that they alert users when they need to take care of something that we would normally use email for which to notify the user. Once that's done, we can assure users that we will NEVER ask them to click on a link in an email, just like we currently remind them that we never ask them for passwords.
If that is "too hard" and/or the analytics stuff is "too valuable" then we need to simply accept the risk that our users will get caught in phishing attacks. The bad guys have figured out that it is very easy to mimic our business practices, and they have gotten very good at doing it. Unless we change those practices, they will find us to be easy pickings.
Re: (Score:2)
Worthless article (Score:2)
So... this story is about an e-mail which allegedly resembled a phishing attempt.
Yet TFA doesn't include the text of the e-mail...
BRILLIANT!
Re: (Score:2)
Thanks for that.
I thought one of the complaints about the e-mail was that the password reset link was to a third-party site... ?
My bank just did this (Score:3)
A couple months ago I was informed, in an email that had absolutely every telltale sign of being a phish (other than mispellings, I suppose; it was written in proper English), that someone had probably stolen my card, and I should click on this link if I agreed, or this other one if I had made the charges. The links didn't go to the bank's site. I almost threw it away.
It was a legitimate email; my card had actually been stolen.
I emailed their phishing department with a copy of it, and a pointed "this looks like a phish. I know it's legitimate, but here are all the ways it looks like it isn't. Perhaps you should rethink this email you're sending out?" Their response: "this is not a phish". Yes, I know that. I SAID that. Apparently nobody in that department can think, or read? (Fun fact: this is coming from one of the "big four" banks, according to wikipedia.)
I got the email, warned colleagues (Score:1)
Troubling? (Score:2)