Phishing Scam Targets Students

By Emily Singer

In the days leading up to Jan. 15, the Library and Information Services (LIS) noticed an increase in the number of email phishing incidents within the college community. The compromised email accounts generated large amounts of spam. To reduce the number of compromised accounts, LIS required all students to change their email passwords on or before Jan. 30.

According to LIS webpage go/phish, “phishing is a malicious effort often email or web based, aimed at fraudulently gaining sensitive information from targeted individuals. This information is then leveraged for acts such as identity theft, system access, or other malicious activities.”

The phishing email that targeted students appeared to be an email notification, alerting students that they had received a new message, and contained hyperlinked text that read, “Click here to read.” The email sender’s display name appeared simply as “Middlebury,” though the message itself was signed “Middlebury Webmail Service.” The hyperlinked text redirected students to a copy of the Middlebury Central Authentication Service (CAS) login page. Those who entered their login information compromised their email addresses, generating spam messages as a result.

While student email accounts may have been compromised, all attempts to gain access to the College network failed.

According to Network Security Administrator Ian Burke, the College blocks approximately 80,000 fraudulent inbound emails each day using standard anti-spam controls.

“Even with these controls in place, a small number of fraudulent emails still make it through, and occasionally a fraudulent email is successful in compromising a Middlebury account,” Burke wrote in an email. “Unfortunately, one compromised email account can generate as many as 60,000 spam messages in a very short period of time.

“Middlebury has implemented additional controls to recognize and protect against outbound spam generated by compromised Middlebury email accounts,” Burke added.

An all-student email was sent by LIS Director of User Services Mary Backus on Jan. 15 to alert students of the phishing attempts and to inform users of what to do if they had clicked on a link in a fraudulent email. In order to prevent more accounts from being compromised, a mandatory password change was put in place. Existing student email passwords expired at noon on Jan. 30 and had to be reset.

As a security measure, passwords for all student network accounts must be changed at least once every six months. Users with greater network access, such as domain administrators, are required to change their passwords once every three months.

According to Burke, the password change has resulted in a dramatic reduction in the number of compromised accounts.

As stated on go/phish, successful phishing incidents can give inside network access to an outsider, potentially resulting in the theft of confidential or secure information.

“In the event that a user’s credentials are compromised, an attacker would have the same basic access that the compromised user had, until the account was disabled or the password was changed,” wrote Burke. Thus, the mandatory password change shut the attacker out from the college network and restored compromised accounts to their previous, secure state.

On Feb. 7, several days after student passwords expired, the College experienced a brief network outage. The two events were unrelated and “should not be interpreted as revealing critical flaws in Middlebury’s network security,” according to Burke.

In an era when more and more information is stored online, service provider and network security are increasingly vital. Burke noted that Outlook, the email provider which connects to the College’s Exchange mail server, is no more or less secure than other mail services such as Gmail or Yahoo. All mail clients receive phishing and spam messages.

“The problem [of phishing] is rampant, however the risk is found in whether or not people actually respond to these messages,” Burke wrote. “This is why it is so important that community members keep themselves informed about these types of information security threats and be vigilant about protecting their credentials and personal information.”

LIS has a successful information security education and awareness program for faculty and staff, which Burke cites as the reason for the small number of compromised faculty and staff email accounts in the recent phishing attacks. LIS is working to similarly educate the student body. Most recently, LIS staff distributed pamphlets on information security education and awareness to the incoming Feb class during orientation.

The phishing attacks occurred around the same time that President of the College Ronald D. Liebowitz announced the creation of a working group on new technologies and online pedagogy to explore the use of online and computer-based tools in teaching, learning, connecting with alumni and education in the future.

Led by Vice President for Planning and Assessment and Professor of Psychology Susan Baldridge, the working group is comprised of faculty, staff and students from both the College and the Monterey Institute of International Studies (MIIS) and Middlebury Language Schools who hold an interest or level of expertise in educational technology.

In his email to the College community, Liebowitz wrote that one of the goals of the working group is to “examine whether and how new technologies might provide expanded and appropriate options for teaching and learning at Middlebury.” Liebowitz cited online partnerships between peer institutions, including Wellesley and Wesleyan, and edX and Coursera as potential examples for Middlebury to follow.

The working group has convened twice thus far and has just begun to organize its work, according to Baldridge.

“We will be focusing on the different audiences for any potential online efforts — undergraduate, graduate and those we are calling ‘life-long learners,’ namely alumni, parents and others who might be interested in online offerings from Middlebury,” Baldridge wrote in an email.

“We want to understand what online options might be of value for these different groups, and consider whether Middlebury should pursue some of these options,” she added.

The working group will ultimately submit a report to various governance groups on campus, such as the Educational Affairs Committee, for further discussion.

The creation of the working group is the most recent development in the College’s exploration of online education. In 2010, the College announced a partnership with K12 Inc. to create Middlebury Interactive Languages (MIL), an online foreign language education program. More recently, the College Alumni Office developed online courses for alumni.