Spring Break
Internet scam breaches university's e-mail system
Officials warn affected persons to change passwords immediately
Christopher Barrett
Issue date: 1/29/08 Section: News
1/29/08 - University of Rhode Island administrators are scrambling to warn university e-mail users that a recent message asking for their password is a scam.
The e-mails arrived Friday evening to some student, faculty and staff accounts. The message carried the subject line "Confirm Your E-mail Address" and stated, "To complete your URI account, you must reply to this email immediately and enter your password here (*********)."
That, Help Desk Manager Mary Fetherston said yesterday, is a veiled attempt by unknown hackers to gain unauthorized entry into university e-mail system. And because other systems, such as e-Campus and WebCT, often use the same password, compromising the e-mail system could allow hackers wide entry over victims' university accounts. By entering university databases hackers can skim names, addresses, Social Security numbers and other information, enough data to assume the identity of an unsuspecting victim.
In addition, Fetherston said because many Web sites will e-mail a user a forgotten password, gaining access to e-mail could allow entry to an assortment of sites including online banking.
Fetherston said it's unclear how many university students and employees fell for the scam, but for now is urging anyone that replied to the message to change his or her passwords immediately. Users who clicked the link provided in the e-mail were not affected, as the link pointed to the legitimate URI Webmail login page.
"We don't know how many got out," she said. "We got about 30 calls and e-mails from the Help Desk Sunday, which is a good amount."
Fetherston said an attentive graduate student, Allison Mitchell, working at the Help Desk saw the e-mail Saturday morning and sounded the alarm.
"It's called a 'spear fishing' scheme," Fetherston said. "It's highly targeted and it looks authentic so it sucks people in. Luckily, because of this grad student's quick action, we got the security alert out."
On Sunday, Fetherston sent an e-mail to the URI Newsline listserv warning URI e-mail users the message was a scam. The university also blocked the Hotmail and SigNet accounts that sent the message and instituted security measures that prevented users from replying to the message.
The e-mails arrived Friday evening to some student, faculty and staff accounts. The message carried the subject line "Confirm Your E-mail Address" and stated, "To complete your URI account, you must reply to this email immediately and enter your password here (*********)."
That, Help Desk Manager Mary Fetherston said yesterday, is a veiled attempt by unknown hackers to gain unauthorized entry into university e-mail system. And because other systems, such as e-Campus and WebCT, often use the same password, compromising the e-mail system could allow hackers wide entry over victims' university accounts. By entering university databases hackers can skim names, addresses, Social Security numbers and other information, enough data to assume the identity of an unsuspecting victim.
In addition, Fetherston said because many Web sites will e-mail a user a forgotten password, gaining access to e-mail could allow entry to an assortment of sites including online banking.
Fetherston said it's unclear how many university students and employees fell for the scam, but for now is urging anyone that replied to the message to change his or her passwords immediately. Users who clicked the link provided in the e-mail were not affected, as the link pointed to the legitimate URI Webmail login page.
"We don't know how many got out," she said. "We got about 30 calls and e-mails from the Help Desk Sunday, which is a good amount."
Fetherston said an attentive graduate student, Allison Mitchell, working at the Help Desk saw the e-mail Saturday morning and sounded the alarm.
"It's called a 'spear fishing' scheme," Fetherston said. "It's highly targeted and it looks authentic so it sucks people in. Luckily, because of this grad student's quick action, we got the security alert out."
On Sunday, Fetherston sent an e-mail to the URI Newsline listserv warning URI e-mail users the message was a scam. The university also blocked the Hotmail and SigNet accounts that sent the message and instituted security measures that prevented users from replying to the message.
