Kansas State University

search

IT News

eID passwords stolen by spear phishing scams again

One year after receiving the first spear phishing scam, K-Staters are receiving a  flood of new ones in the last week. At least four people have given their eID password to criminals by replying to the scams. In three cases, the criminal(s) used the eID and password to login to K-State’s Webmail and send thousands of spam messages to off-campus sites, thus making K-State appear to be a source of spam and risk getting blocked by major e-mail providers like Hotmail and Gmail.

Remember one simple rule to avoid being a victim of this type of scam: K-State IT support staff will NEVER ask you for your password in an e-mail. Nor would any legitimate business. Thus if you get any kind of e-mail that asks you to reply with your password,  just delete it.

Seven different versions of the scam have been received at K-State in the last week, all of which are posted in the new K-State IT security threats blog so you can compare them to suspicious e-mails you receive. Look for blog posts categorized as “Phishing” and with “Spear phishing,” the date, and subject of the scam e-mail in the title.

All of the scams have features that make it readily apparent they’re scams, but two in this latest round were particularly insidious which caught some people off-guard. One mentioned e-mail inbox size limits and warning messages that are automatically  generated as you approach a size limit of 20 MB. Since K-State’s current e-mail system sends warnings about size limits, this one appeared legitimate.

Another scam asked you to “change the password on your account in order to prevent any unauthorised [sic] account access,” and it arrived the day after tens of thousands of K-Staters received a legitimate e-mail from the IT Help Desk reminding them they need to change their eID password by February 11. Again, this e-mail had numerous features to indicate it was a scam:

  • It asks you to reply with your password in an e-mail, whereas the legitimate message from the IT Help Desk referred you to the eID profile web site to change your password
  • The reply would go to a Gmail account (mail.helpdesk45@gmail.com), not a K-State e-mail account
  • It’s from the “KSU Support Team <service@ksu.edu>”, but there is no such unit on campus
  • Misspelled words, such as “unauthorised”
  • Many grammatical errors
  • It says “We wrote to you on 5th January 2008…”, which is not true, and why would we wait a whole year to follow up in 2009?!
  • It refers to “All Mailhub systems” and K-State has no system with that name
  • It does not provide any contact information like a web site, phone number, department, or person’s name to contact if you have any questions

Please take the time to learn how to recognize a scam and remember that IT support staff will never ask for your password in an e-mail.

Share this post:

About Harvard Townsend (harv@ksu.edu)

Chief Information Security Officer