“Phishing” a growing threat to university’s network security
Students, faculty, and staff received fraudulent e-mail on Tuesday from a site posing as the Georgetown University Alumni and Student Federal Credit Union.
The e-mail, which asked recipients to follow a link to verify information about their bank accounts, are part of a growing Internet crime trend known as phishing, in which hackers send out fake mass e-mails in the hope that gullible people will provide personal information.
The scam was discovered when perplexed students, many of whom did not even have GUASFCU accounts, forwarded the e-mail to University Information Services. According to University Information Security Officer David Smith, 23 reports were received.
“As the e-mail was sent to the Georgetown population, not just credit union members, many [people] were confused as to why they were being contacted by us,” GUASFCU Chief Executive Officer Greg Pasqua (MSB ‘07) said.
No perpetrators have been caught but “we did identify that the mail came from Hong Kong and the phishing site was set up in Korea” Smith said. The attack is under investigation by the National Credit Union Administration and the Federal Bureau of Investigation.
Smith said that although phishing is a problem that hits the Georgetown community every day, this incident was different because the phishers chose to impersonate GUASFCU.
“It’s unusual that they target it to a small bank like this,” Smith said. “It’s usually like Chevy Chase Bank or Bank of America. They send out a million e-mails and expect maybe half a percent of people to respond.” Chevy Chase Bank employees declined to comment because of legal obligations to the bank. (provigil)
These millions of addresses are gathered by using automated computer programs to perform harvesting attacks on directories like Facebook or group listserves. Phishers also collect addresses by sending out combinations of letters and numbers that look like NetIDs and seeing which ones are delivered, according to Smith.
Georgetown, like most universities, has an open directory. Anyone, whether affiliated with the university or not, can e-mail a Georgetown user through the directory web site, and anyone with a Georgetown NetID can see every other NetID.
“We do a lot of tricks so it’s hard to bulk e-mail people from our directory,” Smith said, although he conceded that addresses are easier to find than they would be with a closed directory.
Students in GUASFCU’s Leavey Center lobby on Wednesday morning were unfazed by the scam. Account holder Melissa Grelli (MSB ‘08) ignored the e-mail, but an acquaintance of hers was not quite as tech-savvy.
“My roommate’s freshman sister responded to that e-mail and gave out her Social Security number and everything,” she said. “It’s kind of a messy situation but she’s getting it resolved. It’s funny because that morning we were like ‘Who would respond to that?’ and then she called and we were like, ‘Oh my god.’”
Despite her friend’s experience, Grelli did not view phishing as a major threat.
“I think most people know that a company would never ask those kinds of questions,” she said.
Pasqua emphasized that GUASFCU was not at fault in the incident.
“Any information that was divulged was due to the actions of the member, not the credit union,” he said. “As a relatively small, as well as a non-profit institution we never disclose any of our members account information to anyone, period.”
Additional reporting by Michael J. Bruns
