Even at Brown, e-mail scammers go phishing

By
Friday, November 30, 2007

Brown e-mail users are being bombarded with an increasing number of scam e-mails, a practice known as “phishing.”

“Dear Brown.edu subscriber,” began one that arrived this week in many Brown inboxes, purporting to be sent by “the Brown University Webmail Team” at “support@brown.edu.” “To complete and verify your Brown.edu account, you must reply to this email immediately and enter your password here (*********). Failure to do this will immediately render your email address deactivated from our database.”

Connie Sadler, director of IT security at Computing and Information Services, told The Herald that such e-mail scams are becoming increasingly common.

Every year “there are phishing attacks that target students, particularly around the beginning of the semester,” Sadler said. Many use e-mails similar to those sent by major banks or online retailers to entice readers into visiting fraudulent Web sites. Once there, visitors are asked to give passwords and other personal information.

Phishing techniques are becoming much better targeted, said Peter Cassidy, secretary-general of the Anti-Phishing Working Group, which monitors trends in phishing e-mails across the Internet. “By 2005, it was really professionally done. Phish mail was indistinguishable from any communications from, say, the bank itself.”

In May 2005, Cassidy added, the University of Kentucky suffered one of the cleverest attacks to date. “They took names of staff, students and faculty off of all the Web site directories,” Cassidy said, “then e-mailed them phishing e-mails purporting to be from the University of Kentucky Federal Credit Union, on the belief that they would likely… be customers of the bank.”

The most recent phishing e-mail posing as an official Brown correspondence is similar. “It looks like they’re going after Brown students in particular,” Cassidy said. If students comply with the e-mail, the scammer gets their account password and access to their e-mail.

“Once they’ve got the ability to spoof you and pretend to be you and rummage around in your e-mail, they know pretty much a big chunk of your business,” Cassidy said. “They’ll roll out and see if you’re using the same username and password in other accounts, like eBay. Because a lot of people do that.”

An almost verbatim e-mail was used to target users of Optimum.net, a Web portal run by New York-based Cablevision, according to Optimum’s Web site.

Scammers “re-use whatever resources work,” Cassidy said. “These guys don’t want to work for a living – that’s why they’re phishing.”

A 2006 study by researchers at Harvard University and the University of California, Berkeley, found that some phishing attacks convince up to 5 percent of recipients to provide personal information. Overall the attacks generate $1.2 billion in losses each year.

Sadler said she doesn’t know of any Brown students fooled by the most recent scam e-mail. Other phishing scams, however, have done far more serious damage, including one sent to a Brown student in the spring.

“I think the e-mail said something like ‘We are Bank of America’s fraud detection team, and we have reason to believe that your account may have been compromised. … Click on this link to verify your information,’ ” Sadler said.

A student told her that “she clicked on the link and filled out the information, and within minutes her bank account was empty. They got everything,” Sadler said.

Eventually, Sadler added, “she did get her money back. But it was during finals … and she had to go through a lot of process and red tape.”

Another e-mail, reported to Sadler by several Brown account holders, purported to come from a hit man who had been contracted to kill the recipient. For $4,000, the messages said, he would lay off – but he would need the money soon.