Phishing message targets USU webmail users

Written for The Utah Statesman on January 25th, 2008.

A phishing message asking USU Webmail users for their username and password arrived in an estimated 800 students' inboxes Monday night.

"Phishing is the Internet term for an attempt to fool someone into thinking that the message or Web site is from an official source, when it's really from the hacker, fooling them into providing private info to the hacker as a result," said Bob Bayn, Information Technology security team coordinator for USU.

The message, a forgery from a computer in the Netherlands claiming to be "cc.usu.edu Team," asked users to send their e-mail username and password to "account.upgrade@hotmail.co.uk" for the purpose of upgrading the database, Bayn said.

The IT security team sent out a notice about the e-mail Tuesday, warning students to not follow instructions and to immediately change their password if they did, Bayn said.

"In general, phishing is not structured like this," Bayn said. "This one was obviously a lot more direct and low tech. They just said please e-mail us your username and password."

Bayn said most phishing scams send someone to a forged Web site, where they will access an identical copy of a familiar Web page. When someone enters their information on the fake page, for example, when they try to log in, the hacker automatically obtains access to that information.

"They don't have to fool very many people to get what they want," Bayn said.

"This message appeared to be directed to USU, but it was structured in a way that they could easily adapt that message to someplace else as well," he said.

"Organizations that use log-in credentials don't, as a rule, do the same things legitimately that phishing messages do," Bayn said. "If you get a request via e-mail for private information, you should be immediately suspicious."

Typically, messages like this don't make it past the USU spam filter system, as most of it is blocked before it makes it to the inbox, Bayn said.

"A spam-filtering system does not relieve people of having to worry about this," he said. "It relieves people of the burden of receiving the bulk, but there are still things that come through. People still need to be Internet skeptics."