[ISN] Data Breach Aided University Phishing Scam

From: InfoSec News (alerts@private)
Date: Wed Apr 18 2007 - 02:11:46 PDT


By Brian Krebs 
April 16, 2007

A highly targeted phishing attack last year that scammed dozens of 
Indiana University students out of their personal and financial data 
appears to have been aided in part by a previously undisclosed hacker 
break-in at one of the school's main research servers, according to 
documents unearthed by a doctoral student there.

In June 2006, an unknown number of IU students and faculty received an 
e-mail warning that online bill-paying services attached to their IU 
Employees Federal Credit Union accounts would be suspended unless they 
"renewed" their contract with the institution. According to the school's 
student news outlet, the Indiana Daily Student, that attack netted up to 
80 victims.

Shortly after the attack, Chris Soghoian, a cybersecurity PhD student at 
IU's School of Informatics, filed an Indiana Public Records Act request 
for documents related to the incident. Those documents, redacted copies 
of which the school provided earlier this year, indicate that the 
phishers may have been able to gather e-mail addresses of IU students in 
a bid to further target their victims.

Soghoian first started classes at IU last fall, but registered for a 
school e-mail address in March 2006. Although he'd never given his IU 
e-mail address to anyone or used it online prior to the phishing attack 
against the credit union, he received a copy of the phishing e-mail. 
Soghoian inquired with the school's technical staff how someone could 
have obtained his e-mail address. He was told his inquiry was related to 
an ongoing investigation.

"That's when I decided to file the [public records] request," he said.

Investigators found phishing kits - ready-made scam e-mails and Web 
pages - designed to target IU students and customers of the Florida 
Commerce Credit Union and the Sandia Laboratory Federal Credit Union. 
Both credit unions had been targeted previously. In fact, a phishing 
scam targeting Florida Commerce surfaced two days prior to the IU scam.

The records provided by the university indicate that the phishers gained 
access to one or more accounts on the school's "Steel" server, a cluster 
of systems provided for students and researchers engaged in projects 
that require serious data and number crunching. According to the 
university, some 24,000 IU students have access to that server (Soghoian 
claims that figure is outdated and that the actual number of user 
accounts on that server is at least 30,000). By downloading the list of 
user names with access to the server, the attackers would have had a 
ready list of targets to use in their phishing scam, Soghoian said.

"The fact that the cluster provides login services means that anyone 
who's logged in can query user names on the system," he said. "The 
phishers sent their e-mails from Steel as well, from within network, 
which I'm guessing would have helped them somewhat in bypassing spam 

While most phishing attacks target the nation's largest financial 
institutions, scammers are turning their sights on smaller banks and 
credit unions whose customers may not be as adept at dealing with these 
types of scams. In addition, as the attack against the IU Credit Union 
shows, scams against smaller institutions are more likely to be 
successful if the phishers have access to e-mail addresses of 
individuals known be associated with the targeted institution.

Phishers have targeted more than 185 credit unions during just the past 
two years, and many of them in multiple, separate attacks, according to 
anti-phishing and security company Websense.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Apr 18 2007 - 02:18:32 PDT