Nearly three months after Ohio State revealed a massive security breach, students’ e-mail inboxes were targeted with a phishing attack.
The e-mail, sent Sunday, had the subject heading “Urgent Security Update” and tried to lure students to enter their username and password by following a link to “re-login and resolve the issue.”
The e-mail claimed it was from firstname.lastname@example.org, the e-mail address of OSU’s Office of Information Technology.
Cathy Bindewald, director of communications in the Office of the Chief Information Officer, said this is clearly a phishing attack.
“We will never ever ask anyone for their password,” she said. “If any e-mail is asking for a password, you’ll know it’s a phishing attempt.”
According to buckeyesecure.osu.edu, a website that the office of the CIO manages to promote safe computing, phishing is an attempt to “steal confidential information by trolling for unsuspecting victims through e-mails and sending them to fake websites, where they are tricked into providing personal information.”
The CIO’s office has also set up an e-mail account, email@example.com, for students to forward suspicious e-mails to be investigated, Bindewald said. If the e-mail is found to be a phishing attempt, the author of the e-mail is barred access to OSU’s webmail system.
Bindewald said spammers are able to fake the return address on e-mails, which would explain why OIT’s e-mail was listed as the return address.
“They’re very creative,” she said. “But if you just stop and look at it, there are a lot of clues in the messages to show that they are illegitimate.”
Those clues include misspellings, the use of odd English phrases and links to other websites asking for a password.
Jon Giacalone, who received the phishing e-mail, said the link in the e-mail was a “dead giveaway.”
“They warn you like a million times never to respond,” said Giacalone, a third-year in evolution, ecology and organismal biology. “So I just deleted it.”
If a student fails to recognize the e-mail as a scam and enters his or her personal information, Bindewald said action should be taken promptly.
“In order to protect yourself, you should immediately change your password and send the message to report-phish,” she said, adding that OIT would help the student through that process.
Bindewald did not know how many students had received this e-mail.
Bindewald said this attempt has no connection to the security breach OSU announced in December, in which sensitive information of nearly 760,000 current and former students, including Social Security numbers and dates of birth, was stolen.
“Those are two completely unrelated things,” Bindewald said. “(A spammer) getting your username or password is not likely to lead to your identity being stolen.”
The Lantern has pending open records requests that were submitted Jan. 27 for more information concerning the security breach announced in December.
Because of its size, OSU is a regular target of phishing attempts, Bindewald said.
“I would just say it’s a pretty regular occurrence,” she said. “There are people all around the world who read the news and find things out about what’s going at the university and they’ll try to take advantage of that opportunity.”
To combat those international spammers, Bindewald said OSU has contracted with international security organizations that search for potential scams and inform OIT of the suspicious activity.
Joey Hribar, a third-year in biology, said he always ignores e-mails asking for his passwords.
“When I was in Taylor Tower, someone on my floor got phished,” he said. “They had all these programs warning us about sending your dot number, so I just ignore them.”
Hribar said, even after the breach and continued phishing attempts, he isn’t losing any sleep.
“I don’t really think about it too much,” he said.