Criminals seem to be working overtime in their efforts to steal eID passwords, which is no surprise since their efforts are paying dividends: Since July 18, 77 K-Staters have been tricked into giving away their eID passwords via phishing scam e-mails! The count since January 1, 2010, is 255 K-Staters!

When stolen e-mail accounts are used to send massive amounts of spam to recipients all over the world, other e-mail service providers view K-State as a source of spam and start blocking ALL e-mail from K-State by putting us on their “spam block-list.” It’s particularly problematic when popular free e-mail services like hotmail.com do this, preventing faculty, staff, and administrators from sending e-mail to current or prospective students who have Hotmail accounts. This has happened at least twice in the last two weeks. Comcast.net likewise blocked K-State e-mail recently.

Scam victims at K-State

The vast majority of the scam victims are students and, especially this summer, newly admitted students who have not yet arrived on campus. To reach this population, information about these scams is provided during new student orientation in the summer. These students also received the e-mail sent last week to the security-alerts mailing list which warned all K-Staters about the scams.

Prevention measures being taken

We will also encourage all students (and faculty/staff, for that matter) to take the new online IT security training course (coming this fall) which warns people repeatedly to never give out their eID password.

So what else are we doing about the problem? Plenty:

  • Every time a new phishing scam arrives, we immediately notify the Internet service providers for the origin of the scam e-mail as well as the host of  the reply-to address (the e-mail address receiving replies with K-Staters’ eID and password).
  • If the scam has a clickable link in it, we report it to Trend Micro so it can be blocked by Web Reputation Services, which will prevent all computers running Trend Micro OfficeScan or Security for Mac from visiting the phishing website. We also report it to the host of the malicious website (often a compromised server).
  • Report the reply-to address to the anti-phishing-email-reply project.
  • Lock K-State e-mail accounts when they are discovered to be compromised, and notify the owner so they can change the password on their account and receive some “training” about their mistake.
  • Last week, Merit improved and automated the detection of compromised accounts in order to identify and lock them before the criminal can send out much spam. This should help keep us off spam block-lists.
  • K-State is working with Merit to deploy a new service that should prevent delivery of some of the original scam e-mails and the replies.
  • Post the phishing scam e-mail to K-State’s IT Security Threats Blog so people can see examples and be aware when a new scam arrives. (Blogs are also posted at the right side of the IT newsletter.)
  • Periodically send a warning to all current K-State eIDs reminding them that no one from K-State nor any legitimate business will ever ask for their password in an e-mail.
  • Publish InfoTech Tuesday articles about the problem.
  • Provide information on K-State’s IT security website about how to recognize scam e-mails.

Even with all of this, the criminals are still successful, since they change their tactics regularly and we have a continual influx of new students who are more vulnerable to scams like this. Of course, that doesn’t explain why we have a large number of upper-class students, graduate students, and even faculty and staff who reply to the scams.

I’ll remind people once again to NEVER give your password to anyone in response to an e-mail request. In fact, K-State policy prohibits sharing your eID password with ANYONE under any circumstances. Abide by this simple rule and you’ll be safe from these types of scams and others like it.