In an ongoing battle to protect Yale email accounts from viruses and online scams, Yale’s Information Technology Services has been sending the community emails warning against opening messages from suspicious addresses. But recently, those dangerous emails have been coming from “yale.edu” addresses, taking the appearance of the very warnings Yale sends.
Identifying hazardous emails can be as simple as spotting misspellings or unknown names, but through a technique known as “phishing,” an unknown source can try to obtain personal information over the Internet by pretending to be a legitimate sender, such as a university or a bank. While most phishing emails are blocked by ITS and never make it to Yale inboxes, some cases of phishing have recently slipped through the firewall.
“You may not be sure if this message is actually from Yale,” read a Sept. 10 email from Chief Information Security Officer Richard Mikelinich to the Yale community.
Early this year, a phishing email appeared in many Yale inboxes from the address “firstname.lastname@example.org.” It appeared very similar to an official email Mikelinich sent out several weeks later, which was sent from “email@example.com.” Both emails warned against opening fake messages, and both appeared to be from legitimate sources. But as Mikelinich’s email pointed out, the former was not sent by a Yale affiliate.
“It was a phishing attempt disguised as an alert about phishing,” Mikelinich said in his September email.
Mikelinich promised the Yale community in his September email that they can still identify such messages, however cleverly disguised, as fake. The itshelp address was “not a legitimate Yale email address” despite its Yale domain name, Mikelinich wrote, and the links in the email were not legitimate URLs — both of which are suggestions of deception, he said. Still, he did not specify how to identify an illegitimate Yale email address.
One month after the emails from the fake Yale address, phishing messages returned to Yale inboxes. An Oct. 13 email from Mikelinich reported cases of dangerous emails that were sent to Yale accounts with the words “the seminar” or “order” in the subject line. An Oct. 15 email warned of similar emails featuring the word “financing” in the subject line. These emails, like the ones warning against phishing, were also cases of phishing.
“Universities are commonly harassed with large volumes of spam, phish and email with malware attachments,” Chief Information Officer Len Peters wrote in a Monday email to the News.
Attackers send these emails because there is an economic incentive to record and then sell the online activity of users, Peters said. There are two kinds of phishing, he explained: phishing targeted at a large audience and “spear phishing” — messages embellished with personal information to convince a highly valued group of people to open the email and relinquish their private information. Because spear phishing has a smaller target group, like the email from the fake Yale ITS to the Yale community, this kind of phishing is harder to catch.
Phishing can result in identity theft, data loss or even the compromise of bank information, Mikelinich said. Even when attachments are opened and then closed quickly, “stealth programs” that are not visible on the screen are often installed without the user’s knowledge, Peters said. These programs record keystrokes, including passwords, and send this information to an attacker who can gain access to personal accounts, Peters added.
To educate students about identifying phishing, ITS set up a “Phishing eLearning” site on its Cyber Security Training website. Requests for passwords or personal information should always be viewed suspiciously, Mikelinich said. If students are still not sure if an email is from a legitimate source, they may call the ITS Help Desk.
Despite these concerns about phishing on campus and the effort to help the community protect itself against it, most students interviewed were like Rebecca Shoptaw ’18, who said she never received any of the phishing emails ITS alerted the Yale community about. Students also reported that they commonly discard emails that lack important subject lines. Others said they receive many campuswide emails that they do not read.
All 20 students interviewed said they felt their Yale email accounts were secure, and that any spam messages they receive are not numerous enough to be irritating.
“Occasionally I receive spam but it usually goes right to the spam folder,” Scott Remer ’16 said. “Usually when I receive phishing it’s pretty transparent.”
The first known case of phishing occurred in 1995, when a program called AOHell attempted to hack AOL users by posing as an AOL company representative.