The University of Iowa Information Technology Services is intensifying security systems and awareness after the recent surfacing of an email “phishing” attack on UI faculty.
A phishing attack is an email that strives to persuade receivers to take some action, usually worded with urgency, to get the receiver to click on a link, so eventually private information can be obtained by the attacker.
UI Staff Council President Randy Nessler said he was familiar with the emails, saying they were reasonably authentic.
“I’ve seen some very realistic-looking emails being mailed to my account that really make me think ITS is telling me that I need to go to a site and do something with my email,” Nessler said at the Staff Council meeting Wednesday afternoon.
ITS Chief Information Security Officer Jane Drews said officials discovered the attack on Nov. 18, when someone called the help desk about a potential attack. The linked pages, she said, were incredibly convincing.
“For those people who clicked on the links, they would see what looked like a university website, one of them was an exact copy of one of our websites. [When] people provided their log in and password, both were captured and the attackers used those credentials to log in to our employee self-service and access sensitive, confidential information,” Drews said. “In a couple of cases, changes were made to people’s payroll information.”
Two phishing attempts were sent out, and out of the roughly 1,000 individuals who received the emails, approximately 50 opened the first and 100 people opened the second.
Once activity was detected, ITS made significant changes to the system by blocking offending IP addresses from the campus network, and making changes in the Employee Self Service portal by blocking known sources and access to certain functions. Individuals who wanted access to certain functions were directed to enter the last four digits of their Social Security number as a prevention method.
Michael Kaplan, the ITS director of information management/application development, said to prevent attackers from accessing the site, Social Security numbers were used because Human Resources already possesses this information from employees’ W-2 forms. The site, he said, may look different because it was built quickly to ensure protection, with all members of the UI email community in mind.
“In building it, we realized it had to be extremely accessible to people with disabilities because everyone was going to be seeing it, so we had to put things in certain places on the page,” Kaplan said. “We had to use all of those tricks, and that required that we use a modern method.”
Kaplan, who created the page in one day, said it is likely more self-service pages will be formatted this way in the future.
Drews said the UI is not the only university experiencing these scams; roughly 20 other universities are also encountering hacking attemps in their email systems, and it has sparked a nationwide exploration of the problem.
Vice President for Human Resources Susan Buckley warned faculty to scan for unconventional language in the emails they receive to prevent phishing.
“The attacks have become so sophisticated,” Buckley said during the meeting. “So I think the answer is we need to continue to re-evaluate the circumstances we find ourselves in.”
ITS has begun a post-card campaign, sent out a mass email, and promoted awareness online about phishing prevention.
Drews noted that ITS is doubling its efforts to try to raise awareness about phishing in general and strategies of preventing attacks.
“We’re reasonably confident we have this attack stopped.” Drews said.
Drews said the local FBI is working on solving the problem, as is the FBI as a whole, because other universities were attacked.