University alerts network users to phishing

A fraudulent e-mail asked students and faculty to provide their usernames and passwords.

By Haley Jones (Contact)

Friday, August 22nd, 2008


For the first time, the KU Information Technology Security Office sent an e-mail alert to all University faculty and students Aug. 4 that warned of a spear phishing e-mail targeting KU network users. The e-mail directed KU network users to verify their usernames and passwords to keep their accounts from going dormant.

Bill Myers, director of assessment and outreach for Information Services, said the office received reports of e-mails appearing to come from “KU Online Services” with an address of onlineservices@ku.edu and a non-KU reply address.

Julie Fugett, information security analyst for Information Services, said this was the first e-mail warning the office sent to avoid filling the inboxes of University students and faculty.

Phishing is a fraudulent e-mail that looks like it was sent by a legitimate business to get the recipient to give out private information.

Spear phishing is a fraudulent e-mail targeted at a specific person that looks like it was sent by a person or organization familiar to the recipient.

“You cry wolf too many times and people will be like, ‘there they go again,’” Fugett said.

Myers said the office received hundreds of reports a week of phishing messages and thousands of attacks on the University’s network.

Fugett said some people even reported the office’s alert e-mail to abuse@ku.edu as spam.

“People really hate getting these things,” Fugett said. “They get tired of it.”

Fugett said fewer than 10 people replied to the last spear phishing message, which the office considered a threat.

Fugett said spear phishing messages were first reported to the office last March. She said each round of phishing attacks looked a little different.

“Since people change their tactics, we are playing catch-up to update our defenses,” Fugett said.

Fugett said after four to five reports of a specific phishing message, she would begin to draft an alert to post at the office’s Web site, www.security.ku.edu, and its beseKUre blog site, www.besekure.ku.edu.

Links to the security alerts are also posted on student portals and occasionally on Outlook Web Access.

The office works loosely with the University Privacy Office to handle phishing and spear phishing messages and their potential threats. Jane Rosenthal, privacy coordinator and custodian of records for the privacy office, said her office handled University information security issues.

“Security and privacy go hand in hand,” Rosenthal said. “If there were a phishing message of some flavor and it gave out University information, we would step in.”

— Edited by Kelsey Hayes

Discussion

All comments are moderated by Kansan.com staff. For our full user policy, click here.

Share your 2¢

Requires free registration.

Username:
Password: (Forgotten your password?)

Comment: