To deter phishing, 'there's one thing all of you can do, that we can't'

Phishers are sending increasingly deceptive messages to UC Davis email account holders this year, and a new post to a campus technologist email list shows how much damage can be caused when even one unwary campus email user falls for the scam.

The takeaway lesson: people who use email at UC Davis urgently need to get up to speed on spotting phishing frauds. Fortunately, that's not hard, as the advice in this post notes. (If you're in a hurry, you can find it near the end.)

Ann Mansker, an analyst in Information and Educational Technology, sent the following post on Monday to the campus Technology Support Program email list. She's discussing a recent problem in which email sent from UC Davis addresses was being rejected by outside servers, disrupting legitimate email to and from campus. Despite the technical language, she writes with enough clarity that most people can get the gist--including how vital it is for each person on campus to learn to recognize and resist phishing:

Sent: Monday, December 08, 2008 2:30 PM

Subject: [TSP-INFO:6435] Following Up On Campus Mail Blocks

Hi folks,

By now in general all of the requests to various ISPs and block lists should be processed, so UCD is back in the email club. This was such an unusual, and yet terribly repeatable, circumstance it seems like a good time to discuss what happened.

The short answer: successful phishing.

When IT Express gets another UCD-focused phishing message, one of the consultants immediately requests a block on the reply-to address (in the ITX trailer, we call this "whack a mole.") Sadly, between the start of the phishing attempt and the time the block goes into place, there is a significant opportunity for people to reply to the phisher. All the phisher needs is one person to send their loginID and password, and then it's off to the spam races.

Whoever i s targeting the campus is aware of Geckomail, so the next thing that happens after they find that someone is that the phisher logs in to the user's account via Geckomail and launches a huge spam run. Since mail originating from campus systems is not spam-scanned, the messages flow unhindered through the MX pool and to the world at large.

As far as we can tell, the entire MX pool got added to numerous block lists as a result of a single 8-hour spam run originating from a compromised account.

Intense discussions of what can be done to prevent the use of the Geckomail server for spamming are taking place even as I type. There's one thing that all of you can do, though, that we can't. Please do everything you can to educate everyone in your department (faculty, staff, graduate students) about phishing scams, and make this as clear as possible:

  • No one who has the authority to access the computing accounts or email systems needs anybody's personal account information to do so.
  • There is no "maintenance" or "synchronization" or other process that requires users to submit their account information to anyone.
  • IT Express will never ask for a user's password, in email or on the telephone.
  • Every individual has a responsibility to maintain the security of their account. Never, ever give out your password, to anyone.

Ann M.

Please don't ask me to keep in step--it's hard enough just to stay in line. -- Ashleigh Brilliant


Search the TechNews archives for earlier posts about campus phishing, including "New security notice can help you spot phishing scams" and "New 'How Email World Works' list has phisher-foiling advice."