Educause Security Discussion mailing list archives

<SPAM> RE: user account compromise?

From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Thu, 24 Apr 2008 18:02:18 -0400

We had this happen here a couple months ago.  You can check the list
archives.

We disabled the student's account overnight until we had time to perform
a thorough investigation the next morning.  We then changed the
student's password, and told them to reset it, and not change it back to
the same thing.  We simply warned them that if they did, we would not
turn their account back on if it happened again.

I was primarily concerned about someone accessing the student's social
security number or other personal information using our other services
(i.e. payment services) with his account.  I was informed by our
application folks they had eliminated SSN and other confidential
information from those systems a while back.  Kudos to them.  Why would
a student ever need to see their own SSN or DOB anyway?  Either way it
did not matter, as we checked logs on those systems and verified the
attacker's IP addresses did not access the systems within about a
month's period.

The student was unaware of how their password was compromised.  I
believe it was either phishing or an external database on some site they
frequented was compromised (i.e. a sports site that they used their
campus e-mail address for verification and used the same password as
they did on campus).

Honestly it wasn't worth the time pursuing 'legal' action.  The attack
originated from two IP addresses in the Netherlands (I believe, check
the archives).  We checked log files on other servers and saw no trace
of the IP address.  It was an attack solely to send spam from our mail
servers.  Our students have no remote access other than web services
such as webmail, online courses, registration information, and ftp,
which we have access logs on each, so this was easily verified.

The student obviously was not responsible for the attack and I wasn't
flying overseas to ring someone's neck.  Maybe it would be different if
we had an attorney on staff?

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob
Sent: Thursday, April 24, 2008 4:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] user account compromise?

Ken and all.  That was it.  He did reply to one of those phishing scams.
No more than 12 hours before the SPAM was launched.  Any non-internal
legal advice would be appreciated.

 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly
Sent: Thursday, April 24, 2008 4:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] user account compromise?

Jake -

There have been numerous phishing attempts aimed at .edu students (and 
faculty/staff) over the past couple of months.  I'm sure the archives of

this list have examples.  Webmail accounts (in particular) of those who 
fall for the phishing attempt and provide their credentials are used for

exactly the things you have seen.

The student should change his password if that hasn't already happened.

He should also check things like his signature file and any 
auto-responder messages to ascertain that additional spam is not 
included there.

- ken

Barros, Jacob wrote:

Beginning around 5:30pm yesterday, SPAM messages were sent from a

student's

user account. The student claims to not know what is happening.. and I

think

believe him.  He actually sent an email about the problem to our

helpdesk at 1

am because he was getting so many delayed delivery and NDR messages.

We are

still examining his laptop.

So far my assumption is that his account was compromised as copies of

the

message are actually in his sent items and drafts folders.  Anyone

disagree

with that assumption?  Sounds like a ludicrous question but is there

any way I

can track who was using his account?

Also, I am unsure how to respond to the situation and no applicable

policies

are in place.  Should campus departments or otherwise be notified of

the

compromise?  Any non-internal legal ramifications here, i.e. I am

getting many

responses from users who received the message.  Should I reply to

them?  Does

that imply that we claim responsibility?  Should I mention that it

actually

was our fault when I try to get off the blacklists we are already on?

Is this topic better suited for the email admin discussion group?  Any

advice

or shared experience would be appreciated.

Jake Barros
Grace College


-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Current thread:

<SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <Possible follow-ups>
- <SPAM> Re: user account compromise? Cal Frye (Apr 24)
- Re: <SPAM> Re: user account compromise? Dick Jacobson (Apr 24)
- Re: <SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <SPAM> RE: user account compromise? Jenkins, Matthew (Apr 24)
- <SPAM> Re: user account compromise? Paul Russell (Apr 24)