University News

False Spring Weekend lineup sent to campus press outlets

A third-party website allows spoofers to create realistic fake email accounts

By
Senior Staff Writer

Brown email addresses can be impersonated by any user inside or outside of the Brown network through email spoofing websites, evidenced by an email supposedly sent from Brown Concert Agency Publicity Chair Raillan Brooks ’13  to multiple press outlets Tuesday with a false Spring Weekend lineup.

“(Email spoofing) is an inherent insecurity in the Internet,” said Chief Information Security Officer David Sherry, one that is “inherent in all email servers” and not just Brown’s.

The email’s source code revealed the message was a hoax sent from a third-party service that allows any user to modify an email’s “from:” field and impersonate another address. If done cleverly enough, the email will appear at first glance to have actually been sent by that user.

Sherry said trying to crack down further on these sorts of spoofing attempts “would be a losing battle” and would “cause issues for all emails.”

“I did know that it was possible to impersonate other email addresses, but I had never seen it happen,” said Kareem Osman ’14.

“This was obviously a lighthearted example,” he added. “But you can obviously think of ways that it would be bad” — emails to which a user might respond with sensitive information, Osman said.

At 9:53 a.m. yesterday, The Herald and BlogDailyHerald received an email from Brooks that stated the Spring Weekend lineup announcement was forthcoming. At 10:32 a.m., The Herald posted a brief article online attributing the information to Brooks.

Ten minutes later, BlogDailyHerald received an email claiming to be from Brooks’ email account, with subject “Lineup.” The body read:  “Friday: The Sounds of Capitalism, Toro Y Moi. Saturday: The Postal Service, Grouper. More acts to be announced in March.”

The Sounds of Capitalism and Grouper are not real bands, Brooks said, and The Postal Service is currently booked to perform at Coachella Valley Music and Arts Festival the Saturday of Spring Weekend. But, BlogDailyHerald editors said, because Brooks was their source for the previous Spring Weekend information, they published the lineup reported in the email.

“That’s usually what we do when we receive an email from BCA,” said BlogDailyHerald Editor-in-Chief Meredith Bilski ’14. “We put (the information) up on the Blog.”

Though Brown’s security filter flagged the message as suspicious, the system marked it as a “soft fail,” allowing the email through with the fraudulent “from:” address intact.

Brooks and Bilski both said no one from their respective organizations sent the fraudulent email.

“The people on BCA understand the consequences of leaks,” Brooks said. “I trust them as my friends and as people who are professionally invested in this to not do something like that.”

“People on our staff are ethical, and they would not do this on purpose,” Bilksi said. “We were anticipating a Spring Weekend lineup from them, and we wouldn’t have made one up on our own.”

 

-With additional reporting by Rachel Margolis

  • beige

    David Sherry, Given as you said that this can happen to anybody on any server, obviously then you did not screw up. How meticulous for the BDH to help you to point this out. This is such critical information, without which Brown University would not function today.

  • xxaa

    wouldnt the bdh think of fact checking the bands before they released the lineup? i find it incredible that they announced “the sound of capitalism” (really, this didnt seem fake to anyone!??) is playing when it isnt even a real band. why didnt anyone, i dont know, google the bands before spreading the announcement? could have saved the bdh a lot embarrassment, though i guess you guys dont bother checking your facts?

    • Joe

      oh you mad, huh?

  • mcg

    Grouper is very much a real band….

  • Brian

    re: xxaa. This is the BDH, not the New York Times. Its kind of crazy that someone went to all the trouble to impersonate a member of BCA just to spread misinformation. Maybe I’m a trusting person, but I probably would not be expecting that. Why are you attacking BDH’s journalism instead of the person who created all of this confusion? I mean, this has such a small impact on your life. Its not like they were purposefully or sloppily spreading misinformation. And it really isn’t that embarrassing. If you’re going to attack the BDH for their ineffective fact checking, you would look a lot less shallow if you actually found an article where false information could have real consequences. One thing that bothers me about Brown is how entitled people get about certain things, like spring weekend.