Phishing attacks on Rice community increasingly sophisticated, IT office warns

By Elizabeth Rasich     1/10/17 9:25pm

Schemes to steal usernames and passwords are another part of the Rice University experience. Students, faculty and staff alike are falling victim to attacks that direct Rice email users to sites that almost exactly resemble legitimate, Rice-sponsored sites. Phishing scams are now more frequent and more technologically advanced, prompting the Office of Information Technology recently to direct its IT representatives to warn their residential colleges about this increasing sophistication.

Rice students are sitting on hidden treasure. Many phishing attacks are motivated by the prospect of stealing the thousands of dollars of academic resources to which Rice students have access, according to Vice President for IT Klara Jelinkova. NetIDs and passwords are keys to an expensive cache of educational subscriptions and materials which scammers attempt to steal in order to use for their own purposes or to resell to other individuals.

Subscriptions to academic resources can cost hundreds of dollars. The MLA Literary Research Guide, for example, costs $395 per year for university libraries. According to Jelinkova, expensive research materials are in high demand in countries where they are unavailable or too costly to access, and phishing attackers have a ready market where they can sell the NetIDs and passwords they collect.

---

---

“If they get your NetID and password, they can go through the proxy server to the library and get access to licensed library materials that may not be even available in other countries,” Jelinkova said. “Usually it’s because they can sell it. It’s something of value.”

More is at risk than access to research guides and academic journals. Phishing scams that succeed in collecting NetIDs and passwords may use those passwords to access more sensitive information such as social media or bank accounts if the password connecting to the NetID is used for other sites.

“Separate passwords for separate accounts ensures minimal damage if one of your account passwords is compromised,” Campus Chief Information Security Officer Marc Scarborough said in an August 2014 email to students.

Some phishing emails lure students into clicking URLs that lead them to sites which almost exactly mirror Rice-affiliated sites like Esther. Jelinkova said there were only subtle differences between fraudulent sites and real ones.

In other instances, attackers have pretended to be from OIT and threatened to shut down students’ accounts if they do not reset their username and password. In an email former IT representative Gautham Giri sent to the members of Lovett College, he warned students to carefully evaluate the legitimacy of emails even when they initially appear to originate from a Rice-affiliated email.

“Sometimes it can be hard to tell if an email is legit or super shady, especially when you see the Rice logo in the message,” Giri, a senior, said. “Just know that OIT doesn’t threaten to shut down your account unless you take an action online.”

Phishing emails may have enticing subject headers, such as the one received by several Rice students on Dec. 5: “New $10,000 Holiday Scholarship for Rice Students!” The email was signed by “Morgan Cohen, Idle Student at Rice University” and listed a Miami, Florida address.

When OIT becomes aware of phishing emails, they block any URLs in the email from the Rice network, according to Jelinkova. They then report the URLs to various authorities, including to browsers which flag the URL as a scamming site and display a warning if anyone clicks on the link. The Rice University Police Department and the Federal Bureau of Investigation are also notified.

Jelinkova acknowledged the difficulty in fully blocking access to phishing URLs.

“Because a lot of the sites are posted outside of the United States, it gets a little difficult to take them down,” Jelinkova said.

Jelinkova confirmed students can expect to receive a phishing email sometime in their Rice career.

Alerts about phishing emails are not sent out every time a scam is reported, but rather when the frequency of attacks is particularly high or the attacks are more sophisticated. Jelinkova attributed the prevalence of phishing as opposed to other scams to the size and anonymity of the internet.

Vinay Raghavan, the IT representative for Duncan College, said he has experienced phishing personally.

“I received a couple phishing emails at my Rice email this past semester, and plenty more at my personal email,” Raghavan, a junior, said. “My response is to just delete the email and try to warn the community whom the email might affect.”

As an IT representative, he is a resource for students who have received a phishing email, he said.

“Students often come to me when they receive a phishing email, and it's really helpful when they let me know so I can help the rest of the community stay safe,” Raghavan said.

He said that were several major phishing email incidents in the fall 2016 semester to which he responded.

“Each time about four to six people mentioned it to me personally,” Raghavan said. “There were also a couple instances of people being unsure about real emails.”

Raghavan said Rice students should be vigilant about attempts to steal their access to academic materials but also expressed disappointment that criminal activity was necessary to gain access to expensive or unavailable information.

“I think it's disappointing that people need to go to such extents to access these materials,” Raghavan said. “I am personally a believer of free and open access to information, but unfortunately, that isn't the way the world works. There are still certain issues with that, such as national security and return on investment with costs of research, but in general I think the spreading of knowledge and the freedom of education is one of the most important aspects of humanity.”

---