http://blog.washingtonpost.com/securityfix/2007/04/data_breach_may_have_aided_uni_1.html By Brian Krebs April 16, 2007 A highly targeted phishing attack last year that scammed dozens of Indiana University students out of their personal and financial data appears to have been aided in part by a previously undisclosed hacker break-in at one of the school's main research servers, according to documents unearthed by a doctoral student there. In June 2006, an unknown number of IU students and faculty received an e-mail warning that online bill-paying services attached to their IU Employees Federal Credit Union accounts would be suspended unless they "renewed" their contract with the institution. According to the school's student news outlet, the Indiana Daily Student, that attack netted up to 80 victims. Shortly after the attack, Chris Soghoian, a cybersecurity PhD student at IU's School of Informatics, filed an Indiana Public Records Act request for documents related to the incident. Those documents, redacted copies of which the school provided earlier this year, indicate that the phishers may have been able to gather e-mail addresses of IU students in a bid to further target their victims. Soghoian first started classes at IU last fall, but registered for a school e-mail address in March 2006. Although he'd never given his IU e-mail address to anyone or used it online prior to the phishing attack against the credit union, he received a copy of the phishing e-mail. Soghoian inquired with the school's technical staff how someone could have obtained his e-mail address. He was told his inquiry was related to an ongoing investigation. "That's when I decided to file the [public records] request," he said. Investigators found phishing kits - ready-made scam e-mails and Web pages - designed to target IU students and customers of the Florida Commerce Credit Union and the Sandia Laboratory Federal Credit Union. Both credit unions had been targeted previously. In fact, a phishing scam targeting Florida Commerce surfaced two days prior to the IU scam. The records provided by the university indicate that the phishers gained access to one or more accounts on the school's "Steel" server, a cluster of systems provided for students and researchers engaged in projects that require serious data and number crunching. According to the university, some 24,000 IU students have access to that server (Soghoian claims that figure is outdated and that the actual number of user accounts on that server is at least 30,000). By downloading the list of user names with access to the server, the attackers would have had a ready list of targets to use in their phishing scam, Soghoian said. "The fact that the cluster provides login services means that anyone who's logged in can query user names on the system," he said. "The phishers sent their e-mails from Steel as well, from within network, which I'm guessing would have helped them somewhat in bypassing spam filters. While most phishing attacks target the nation's largest financial institutions, scammers are turning their sights on smaller banks and credit unions whose customers may not be as adept at dealing with these types of scams. In addition, as the attack against the IU Credit Union shows, scams against smaller institutions are more likely to be successful if the phishers have access to e-mail addresses of individuals known be associated with the targeted institution. Phishers have targeted more than 185 credit unions during just the past two years, and many of them in multiple, separate attacks, according to anti-phishing and security company Websense. __________________________ Subscribe to InfoSec News http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Wed Apr 18 2007 - 02:18:32 PDT