Most students say they know better than to send personal information to someone claiming to be a deposed African prince, but some students fell for a similar ruse when they were tricked last week by a Web site that looked just like one from Yale.
Last Monday some users received an e-mail directing them to a duplicated or “spoofed” version of the Yale Central Authentication System login Web site where they were prompted to enter their NetIDs and passwords, Chief Information Officer Philip Long said. The spoof was the most advanced “phishing” scheme to invade University e-mail servers, he said. Today, new anti-spam software will be introduced on Yale e-mail servers.
Although 28 phony messages were received by users before the hoax was reported and blocked, Long said the damage was minimal. Still, he said both the quantity and quality of such phishing scams are on the rise.
“There were some misspellings in the e-mail itself, and this wasn’t a particularly good spoof,” Long said. “But with some of the spoofs supposedly from Citibank or Key Bank, you can’t believe how good they are. If I didn’t know they’d never ask for something like this online, even I would fall for it.”
Long said the spoof was considered particularly dangerous because it was the first such duplication of a Yale Web site he had seen, and implied knowledge of the University’s network systems.
“This clearly used knowledge of Yale and was sent to individuals at Yale, so we take this as a higher concern than just general issues of phishing,” Long said, adding that the spoof originated off campus.
More than 75 percent of Web users are experiencing an increase in spoofing and phishing e-mails, according to a report published by the electronic privacy advocacy organization TRUSTe in September. Of those users, approximately 15 percent said they were tricked into sending personal information ranging from Social Security numbers to checking and credit card information, costing an estimated total of $500 million.
To avoid being duped by such scams, Long said users should be suspicious of any e-mail with embedded links.
“We are not going to send you an e-mail to confirm your identity,” Long said. “If we need to do that, we’re going to figure out a way that doesn’t smell like a phishing e-mail.”
Long also suggested occasional password changes and manual e-mail filtering.
Since last week’s spoofing, Yale Information and Technology Services officials have installed new anti-virus software, which Long said has deleted over 100,000 PayPal phishing scams. The anti-spam software SpamAssassin will be added to Yale servers today, and Long said he expects the program to further curtail junk e-mail in tandem with the stronger e-mail server protocols introduced in January.
“We were catching quite a bit before, but we think we’re getting an additional 10 to 20 percent now,” he said.
These defense mechanisms were in the works prior to the spoofing, and Long said a direct response to the incident will include a revised design for the CAS Web page and possible police action.
“We are discussing this with law enforcement,” Long said. “We do believe this is a violation of some laws and we’re looking to get some advice on how to proceed. Protection of one’s credentials is essential for any of our electronic systems, so the minute we became aware of this we took it quite seriously.”
[ydn-legacy-photo-inline id=”16222″ ]