Network News

X My Profile
View More Activity

Data Breach Aided University Phishing Scam

A highly targeted phishing attack last year that scammed dozens of Indiana University students out of their personal and financial data appears to have been aided in part by a previously undisclosed hacker break-in at one of the school's main research servers, according to documents unearthed by a doctoral student there.

In June 2006, an unknown number of IU students and faculty received an e-mail warning that online bill-paying services attached to their IU Employees Federal Credit Union accounts would be suspended unless they "renewed" their contract with the institution. According to the school's student news outlet, the Indiana Daily Student, that attack netted up to 80 victims.

Shortly after the attack, Chris Soghoian, a cybersecurity PhD student at IU's School of Informatics, filed an Indiana Public Records Act request for documents related to the incident. Those documents, redacted copies of which the school provided earlier this year, indicate that the phishers may have been able to gather e-mail addresses of IU students in a bid to further target their victims.

Soghoian first started classes at IU last fall, but registered for a school e-mail address in March 2006. Although he'd never given his IU e-mail address to anyone or used it online prior to the phishing attack against the credit union, he received a copy of the phishing e-mail. Soghoian inquired with the school's technical staff how someone could have obtained his e-mail address. He was told his inquiry was related to an ongoing investigation.

"That's when I decided to file the [public records] request," he said.

Investigators found phishing kits - ready-made scam e-mails and Web pages - designed to target IU students and customers of the Florida Commerce Credit Union and the Sandia Laboratory Federal Credit Union. Both credit unions had been targeted previously. In fact, a phishing scam targeting Florida Commerce surfaced two days prior to the IU scam.

The records provided by the university indicate that the phishers gained access to one or more accounts on the school's "Steel" server, a cluster of systems provided for students and researchers engaged in projects that require serious data and number crunching. According to the university, some 24,000 IU students have access to that server (Soghoian claims that figure is outdated and that the actual number of user accounts on that server is at least 30,000). By downloading the list of user names with access to the server, the attackers would have had a ready list of targets to use in their phishing scam, Soghoian said.

"The fact that the cluster provides login services means that anyone who's logged in can query user names on the system," he said. "The phishers sent their e-mails from Steel as well, from within network, which I'm guessing would have helped them somewhat in bypassing spam filters.

While most phishing attacks target the nation's largest financial institutions, scammers are turning their sights on smaller banks and credit unions whose customers may not be as adept at dealing with these types of scams. In addition, as the attack against the IU Credit Union shows, scams against smaller institutions are more likely to be successful if the phishers have access to e-mail addresses of individuals known be associated with the targeted institution.

Phishers have targeted more than 185 credit unions during just the past two years, and many of them in multiple, separate attacks, according to anti-phishing and security company Websense.

By Brian Krebs  |  April 16, 2007; 4:30 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Practicing Street Smarts at the ATM
Next: Smile, You're on Criminal Camera


Surfing the Web I have come across the site, which includes two online scanners that apparently scan the PC in a very short time. They also claim to detect more malware than any other antivirus installed on the computer. Supposedly these tools can detect viruses running on the computer. I tried one of them and was actually quite surprised at how fast it was. It didn't detect anything unusual, but asked me to use the second scanner which, so it says, can detect anything malicious on my PC, active or not.

I was surprised at the distinction made between active and latent malware. Is it that there are viruses on computers waiting for a specific moment or action to activate?

Also, the same page includes statistics showing how many scanned computers were actually infected. Not only that, it says that (about 40% of computers, or something like that) many of these had an antivirus installed. This makes me wonder: if, despite having an up-to-date antivirus installed you still have viruses, then, what purpose does the antivirus serve? The vendor says that it detects over 700,000 viruses, is this true or is it an exaggeration?

Thanks and bye!!!

Posted by: Danger Danger | April 17, 2007 11:14 AM | Report abuse

I use an ATM quite regularly; however, my
husband (I am recently widowed.) never trusted banks and only used an ATM in emergency. We had read of many scams, and a friend had had his cell phone compromised when he was in LA, i.e., the telephone number pulled out of the air, so to speak. I keep my credit cards free-and-clear and check my online bank account daily. I know that these practices only protect so far. I do wish that the government would take more seriously the fraudulent uses of consumers' accounts, but unless there is some kind or monetary
compensation I do not look for that to happen. Rather it's "Let the buyer beware."

Posted by: Susan Dawson | April 17, 2007 11:27 AM | Report abuse

I would very much appreciate Brian Krebs doing a column that responds in detail to Danger Danger's blog (above). I have read that some of these free anti-spyware and anti-virus, etc. offers and sites are the means used by hackers and phfishers to get into your personal computer, or ..... I hope Brian does an article very soon on this. Thanks.

Posted by: Canaddress | April 17, 2007 11:36 AM | Report abuse

I submitted
to McAfee's Site Advisor as it has not as yet been tested for downloading malware. I did not go to the site. I googled it and clicked on site advisor from Google's list to have them test it.
Rich B.

Posted by: dbm1rxb | April 17, 2007 1:36 PM | Report abuse

Phishing scammers use an automatic software download or interlink the servers
and peneterate into the hard disc drives of our PCs and try to access the datas stored as cookies or temporary internet storage files.
When a phishing link is clicked on either a network connectivity is created between our PC and the server of the phisher or a script downloads itself which may act as spyware and facilitates the phishers server to access the hard disk drives of our PC and retrive all personal information.
A phishing site uses either a HTML or JAVA code disguised as a URL and once the link is clicked on the code gets executed automatically giving access to all secreat informations stored.
Another technique for phishers is to create a site with a URL very close to that of a trusted site and require the receipient to enter his presonal details and press a submit button which becomes a much easier task for the offender.
Please view SLL certificate information before accessing trusted sites.

Posted by: Mrs.Meenakshi Kumar | April 17, 2007 5:38 PM | Report abuse

"Although he'd never given his IU e-mail address to anyone or used it online prior to the phishing attack against the credit union, he received a copy of the phishing e-mail. Soghoian inquired with the school's technical staff how someone could have obtained his e-mail address."

Note that it's not always necessary to give people your email address in order to receive spam. Sometimes addresses are may have been in use by others before the latest John Smith came along. More insidiously, spammers speculatively synthesize email addresses by combining common names with common domains.

For example, some years ago I signed up with a new ISP and used my fairly uncommon last name for my username. Within two weeks I started getting spam, though I never used the email address for any purpose whatsoever.

These days, I use random strings of characters for my username when setting up any ISP account so that there's very little chance of the address being predicted by a spammer.

Posted by: antibozo | April 17, 2007 9:29 PM | Report abuse

i need fix my account myspace please help me please

Posted by: uriel arroyo | April 17, 2007 11:25 PM | Report abuse

Ok, I've got the latest news on is the web site for a new awareness campaign from Panda Software.
They let you try their new products for free (Panda Nano Scan and Panda Total Scan), and they use the information from these tests to present statistics. The stats resulting from the web site are supposed to show a huge level of malware infection on the web.
So that's what they do, they let you test drive their latest virus detection software to raise awareness. It is safe to use them, since Panda is behind the whole thing. You can check that on

Posted by: Don Quixote | April 19, 2007 8:49 AM | Report abuse

m1fqdfnxt o20r8oh6wwq4j [URL=] gy35zwtqfpex9g [/URL] ajehocnlx

Posted by: nr6qb0hz8y | April 29, 2007 9:11 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company