Phishing emails at Syracuse University are becoming more sophisticated and malicious, officials say
Annie Schwartz | Contributing Illustrator
The email landed in the inboxes of Syracuse University students on the afternoon of Sept. 5. The message, which bore the subject line “NetID Update,” contained a logo from SU’s Information Technology Services website. The email demanded recipients click on a URL to renew their SU NetID and password.
Someone not paying enough attention might have glossed over the sender’s email, “cp.ermitadelsanto.madrid@educa.madrid.org.” They might have ignored the fact that the message was a single sentence. They even might have clicked on a link, leading them to a page that asked for their NetID and password.
That’s the opening hackers are looking for.
This type of email, in which hackers concoct messages to dupe users into giving away personal information, is called a phishing email. With someone’s SU login credentials, a hacker could access a trove of sensitive data stored on SU servers — including addresses, phone numbers and financial aid information — and sell it on the dark web, the part of the internet not indexed by search engines.
Scammers have been sending phishing emails to SU accounts for the last decade. But recently, phishing messages targeting the university appear to be more “sophisticated and malicious,” as hackers get better, and the shadowy data broker industry on the dark web flourishes, said Chris Finkle, ITS communications manager.
“For a while we could tell them from a mile away, but now we’re getting some that are very genuine looking. And they take you to a webpage that’s also very genuine looking,” he said.
Since ITS only becomes aware of phishing emails when students, faculty and staff report them, ITS officials said it’s difficult to measure if people are actually receiving more phishing emails or if ITS is just getting better at detecting and responding to them.
Still, since the beginning of the semester, ITS has sent seven phishing alert notifications, an increase from five during the same period last year, Finkle said.
“Phishing is one of our biggest threats,” said Chris Croad, SU’s information security officer. “It doesn’t matter how much we protect our computers. If you give away your credentials, you’re compromised.”
Andy Mendes | Digital Design Editor
ITS officials estimate that university servers receive 1.2 million emails per day, but the vast majority of those — 85 percent — get caught in the university’s spam filters. Most spam filters use an algorithm that evaluates keywords, who the sender is and where the message is coming from.
Inevitably, some phishing emails slip through, as hackers have gotten better at crafting messages to dodge filters, Croad said. ITS could easily make the filters more strict, he added, but then ITS runs the risk of blocking legitimate emails.
Globally, everyone with an email address is a target for the millions of phishing emails sent per day, security experts said. Hackers generally get email addresses by deploying bots that scrape webpages for email address. Or they will write a program that automatically generates billions of letter combinations followed by particular email domain, such as “@syr.edu,” hoping some are valid.
Additionally, scammers can easily buy email addresses, either from the dark web or from companies selling mailing lists.
“Harvesting data, email addresses and passwords is becoming a whole underground economy,” said Erich Kron, a security awareness advocate at KnowBe4, a company specializing in training employees about IT security. “There are even services where you can hire people to edit your phishing emails to increase the click rate.”
According to a 2017 report from cybersecurity firm Symantec, mass phishing email scams randomly sent to millions of inboxes are actually on the decline. Instead, scammers are increasingly using spear phishing attacks, which use specific language to target a single organization or person, experts said.
Spear phishing attacks have been responsible for some of the most high-profile hacks this year, including the personal Gmail of Hillary Clinton’s former campaign chairman, John Podesta. It’s also a trend ITS officials are witnessing at SU.
In the last few months, students have received highly targeted spear phishing attacks. The NetID update email included the header from ITS’ website, correctly referred to SU usernames as NetIDs and showed a URL linking to an .syr domain. A few months earlier, students received a phishing email purporting to be from Chancellor Kent Syverud. And, over the summer, students got a message soliciting fake job opportunities.
“What they’re doing is using a form of social engineering and taking advantage of the fact that you trust email coming from, say, the chancellor,” Finkle said.
Spear phishing emails are the most dangerous, experts said, because you might click on a link in an email that looks eerily genuine, give up your information and go about your day, not even realizing you’ve been phished.
What they’re doing is using a form of social engineering and taking advantage of the fact that you trust email coming from, say, the chancellor.Chris Finkle
Universities may be targets for hackers because schools have large user bases of students, faculty, administrators and staff, experts said. Administrators and employees typically guard vast pools of financial, health and personal data, which can be especially damaging when compromised. In September, for example, MacEwan University in Canada inadvertently gave hackers $10 million after an official fell prey to a phishing email scam, BBC News reported.
Additionally, student emails and passwords can be valuable on the dark web for those looking to score a student discount from Amazon Prime or Spotify.
Students may also be particularly susceptible to clicking on phishing emails, experts said. Unlike university administrators or employees at a large company, SU students do not receive any formal, in-person training on how to spot phishing emails.
“Many students won’t have the same experience in identifying and reporting phishing attacks,” said Jordan Wright, Senior R&D Engineer at Duo Security, which provides security services to SU. “Unless you’re involved with the information security industry and can stay on top of the ever-evolving tactics attackers use, you’re less likely to recognize the tell-tale signs of a phishing email.”
Researchers at the University of Erlangen-Nuremberg and Saarland University in Germany released a study this year which found that one in five students clicked on a link contained in a phishing email when prompted.
“I don’t think that growing up with technology means that you actually know a lot about how technology works,” said Zinaida Benenson, one of the researchers involved in the study, in an email. “To realize that one can get a virus by just clicking on a link in a message, one needs to have specialized knowledge, or at least awareness of these type of threats.”
Published on November 14, 2017 at 12:54 am
Contact Rachel: rsandler@syr.edu