Phishing attacks bedevil unwitting new students

By Seth Brown     9/17/09 7:00pm

The next time you decide to supply a grammatically-challenged Internet stranger with your Rice e-mail password, think twice. Otherwise, you might become yet another victim of a recent string of phishing attacks. Last weekend, a widespread phishing scam netted 14 Rice accounts, 12 of which belonged to new students. Phishing, the practice of trying to obtain personal information by posing as a legitimate entity, is nothing new to Rice, but the past week's incident far exceeded the usual success rate for such scams.

"We never ask for any passwords," Information Security Officer Marc Scarborough said. "We would never really need anybody's password."

In most of last week's cases, Scarborough said the victims had not been at Rice long enough to have had experience with recognizing and separating legitimate e-mails from those of hackers.

---

---

Generally, only one or two Rice e-mail accounts are successfully phished each month, with one to two attempts per week.

However, the relative success of last week's scam has led to a fresh attempt this week. The phishing e-mails even contained the correct spelling of words, unlike typical phishing attempts that contain typos, which can act as red flags to unwitting recipients.

When Rice Information Technology finds out about new attempts, they try to inform the Rice community about the suspect messages via e-mail, but this is only possible once they discover the existence of the message in question, Scarborough said.

Intended victims can make several distinctions if an e-mail seems questionable, Scarborough said. Hackers might ask for seemingly irrelevant information, such as a person's country of origin or date of birth, information Rice would not need to obtain via e-mail.

Although actual IT e-mails may sometimes contain typos, phishing e-mails tend to be poorly written and contain both grammar and spelling errors.

In another red-flag instance, phishing e-mails often will have reply addresses outside of the Rice domain.

"If there's any doubt as to the source, ask: 'Are you really asking me this?'" Scarborough said.

Despite the recent phishing attempts, some Rice students believe they are safe from the scams.

"I would probably know that I'm not supposed to respond," Duncan College freshman Anant Subramaniam said. "My e-mail ID tells me if messages are from an unknown sender or not."

In most cases connected to Rice e-mail accounts, the goal of the hackers is not to gather personal information about particular users, but rather to gain access to a legitimate service provider from which spam e-mails can be sent.

"Most of the risk here is that the Internet is based on reputation," Scarborough said. "Hacked accounts send thousands of messages all over the Internet."

When another mail server notices spam being sent out by Rice's mail server, all e-mails from Rice to the server are blocked. Rice IT will lock the hacked account and then contact the administration for the other server to let them know the problem has been resolved.

For the account holder, resolution generally entails IT forcing a password change after the victim discovers that his or her account has been locked.

However, neither of these is necessary if the hacker is never given access in the first place, Scarborough said.

---