The University of Illinois has had its email domain blacklisted after phishing scammers managed to compromise the email accounts of dozens of students and staff in a short period of time, the institution has said.
According to a warning posted to the Campus Information Technologies and Educational Services (CITES) website, the initial assessment was that the accounts of at least 36 people had been hacked during the attacks but that the true number was probably much higher.
The phishers used the common tactic of warning users that they should enter their account details on a bogus site to avoid having email blocked, snaring many unwary users. Other emails appeared to be from banks.
The spammers would then have used the compromised accounts to relay large amounts of spam, much of it to random and non-existent accounts that bounce messages back to the inbox.
ISPs and spam filtering systems notice this bounce traffic and block the addresses, causing problems for the domain as a whole.
The University of Illinois' email had for some days been blocked by a number of third parties, including other universities, CITES said.
“It’s the worst scam I’ve seen since I started in 2005. This campaign is particularly aggressive,” said CITES chief communications officer, Brian Mertz, as part of an official warning.
“[Hackers will] tell you you won’t have your email account anymore, or they’ll tell you to update your bank account information for security reasons,” he said.
CITES hasn’t specified where these forms were located, but a common tactic would be to host them on Google Docs or a similar ‘known good’ domain or service to make blacklisting more difficult.
The attacks are part of an extraordinary wave of phishing attacks against universities across the world that started in 2012 before peaking in the last two months.
In February Oxford University temporarily suspended access to Google Docs after suffering identical phishing attacks, after which Robin Stevens of OxCERT bemoaned attacks that seemed to be preying on the whole education sector.
“Certainly a lot of the phishing emails reported to us are sent from compromised accounts at universities and colleges around the world,” he told Techworld by email.
Techworld contacted two other universities in the UK and US which admitted having identical problems with phishing compromises, while around the same time many institutions abruptly started warning users to be wary of targeted phishing campaigns on tech support pages.
A common issue is that the number of compromised accounts necessary to cause disruption appears to be surprisingly small, perhaps as low as a few dozen. Each one of these compromises requires time-consuming manual intervention by staff.
How academic IT departments battle compromises is usually kept secret for obvious reasons but one admitted to Techworld that it had had success DDoSing the phishing forms hosted on Google Docs. More restrained departments relied on Google's complaint system.