Internet attackers have dropped bait in ASU e-mail accounts, catching several students, staff and faculty members off guard.
The e-mail attacks, known as phishing, are designed to fraudulently gain access to Internet accounts and steal personal information.
Marvin Simkin, on ASU’s Information Security team, said the most recent phishing campaign targeting University accounts gained access to about 40 ASU e-mail accounts.
The fraudulent e-mails appeared to be from the ASU Help Desk, asking for ASURITE passwords.
“They look very convincing, but there’s really only one clue that will set you off,” Simkin said. “Anytime somebody asks for your password in an e-mail message, that’s always going to be fraud. Always.”
Simkin said the e-mail address that sent the initial messages was not an asu.edu account, but the content of the message appeared as though it was from ASU.
“That might have been part of what made this particular campaign more successful than other campaigns in the past,” Simkin said.
He said the hackers who design the scams have automated systems that try day and night to access personal information.
“You are constantly under attack by these hackers,” Simkin said.
Because the scam solicits passwords that grant access to e-mail accounts, any information within the account becomes as available to the hacker as it is to the owner of the account, he said.
A staff member at the Polytechnic campus who asked to remain anonymous said she fell victim to the scam because it looked legitimate.
The initial e-mail said it was from ASU and that her inbox was too full, she said. It said if she provided her username and password, the Help Desk would give her inbox more space.
“I should have known better because they just don’t do that,” she said. “I unfortunately responded, and about two hours later … I started to see all of these spam e-mails come into my sent box.”
She said in those two hours, about 4,000 e-mails were sent from her account.
“I felt fortunate that I was right at my computer and saw it happening,” she said. “I called the help desk immediately, and they changed my password so that no more could be sent.”
Since the scam, she said she has contacted credit-reporting bureaus to monitor her credit cards and Social Security number. She said she has also changed every one of her passwords.
“That’s a precaution that until now I’ve never felt I needed to take, but you know, it was that easy to get in,” she said. “It’s very hard to repair.”
Simkin said the University has several electronic guards to block the fraudulent e-mails, but when they are unsuccessful, “you are the last line of defense.”
Each account that was accessed had sent thousands of spam e-mails in a short period of time. This caused heavy traffic throughout the University e-mail system and filled up many individual inboxes.
Simkin said that ultimately, the only way to protect from this kind of attack is to refrain from giving out any passwords through e-mail.
“No legitimate person will ever ask for your password [through e-mail],” he said.
Simkin said anyone who falls victim to this sort of attack should immediately change their password and contact the ASU Help Desk for further assistance.
Reach the reporter at adam.sneed@asu.edu.
