Ithaca College’s latest phishing incident occurred Aug.19. Although there have been similar incidents in the past, this specific attack left more accounts compromised than ever before.
Through the use of deceptive emails, phishers gained access to some students’ usernames and passwords said David Weil, associate vice president and chief information officer of information technology. The college began taking action against the phishing in February 2017 when 14 accounts were compromised by phishing.
In response to the recent increase in phishing, the college’s information technology department has begun to implement Duo Multifactor Authentication, an added security measure, to protect college email accounts.
When users sign up for Duo Multifactor, they receive unique codes on another device and type it into their email accounts. Phishers will not have access to these codes and will not be able to get into the accounts.
Unlike hacking, which is an unauthorized intrusion, phishing occurs when users are tricked into voluntarily giving away their information. This could happen by giving information to emails posing as real companies or people.
Michael Malpass, professor in the Department of Anthropology, has worked at the college for nearly 30 years. He said he thinks phishing scams have not been a problem at campus until recently.
“I have never had any issues with that at all since this year,” Malpass said. “All of this is pretty recent.”
Weil said that though most of the phishing and hacking seen on the news appears to target big companies, such as Equifax and Target — where customers’ credit card information and social security numbers were stolen — more recently, there has been a shift toward targeting higher education.
“As companies tighten down their defenses, the criminals look for a softer target,” Weil said. “Higher education hasn’t been as hardened as some of the other sectors like business, banks or retail.”
Malpass said the problem at the college probably is related to the global increase in hacking.
“There has just been a huge increase in different organizations, people and groups trying to access information from different places,” he said.
Phishing attempts have increased 65 percent worldwide in the past year, according to PhishMe’s Enterprise Phishing Resiliency and Defense Report.
Weil said that in the case of the college’s most recent attack, students and faculty were targeted by an error message in their emails.
“In this particular case, it was a little green box saying, ‘Cannot display this message. Click here,’” Weil said.
Weil said those who clicked were taken to a page that had a seemingly official college logo on it. They were then asked to type in their usernames and passwords. Once the victims gave away their credentials, the phishers had access to their accounts.
Aside from accessing private information, automated emails were programmed to immediately log into the individuals’ accounts and use the victims’ emails to send more messages. This resulted in an exponential growth in the number of emails people received, he said.
“The main incident was over in a matter of hours,” Weil said. “We were able to neutralize the link that prevents further spreading.”
Freshman Alyshia Korba said she was a victim of the latest phishing incident.
“I had gotten an email saying the college had a filtering system and said it couldn’t display some content,” Korba said. “I clicked on it, and it was obviously something off. I left, but apparently that was enough time to get some virus.”
After realizing her email password had been changed without her authority, Korba contacted the IT department, who helped her fix the problem in less than a day.
“It was very stressful,” Korba said. “The week before class was starting, not able to contact any of my professors or anything … I didn’t know if I was missing any important information about moving in.”
Weil said only about 1 percent of the college’s population gave their credentials to the phishers. Since all college staff had already activated their Duo Multifactor, there was no risk of their accounts being accessed.
Multiple emails have gone out since the incident, warning about phishing and urging both students and staff to sign up.
“The single best protection against getting your account accessed by someone other than you is the use of two–factor authentication,” Weil said.
Fifty percent of faculty and 40 percent of students have downloaded the Duo Multifactor app as of Sept. 19, Weil said.
Weil said the goal is to have all faculty set up with Duo Multifactor by fall break and have all students enabled by mid-November.
Aside from Duo Multifactor, the college has numerous security features in place. Weil said the college already has an advanced system to filter out specific emails. In this case, the phishers specifically crafted the email to get around previous protections, he said.
For this reason, the college has now added a button at the top of each student and faculty email which allows users to report suspicious messages, Weil said.
Casey Kendall, executive director of applications and infrastructure, encourages people to click the “report as phishing” button if an email seems untrustworthy.
“Once a message is proven as phishing, it helps with our threat protections because then we protect against that nuance as well,” Kendall said. “It [the security system] is always being built upon.”
Even with the added protection, there is no way to completely stop students and staff from receiving these types of emails, Weil said. Therefore, he recommends being skeptical of suspicious messages.