Written by Daniel Bitonti
“They want to use our resources. We have very powerful machines and a very large network connection,” Doug Blain, manager of IT security at the University of Guelph.
From a small office on the second floor of the Computing and Communication Services (CCS) building, Doug Blain monitors the lifeblood of University of Guelph communication. He says we’re under attack right now, as he scrolls through hundreds of email alerts on a desktop computer.
Yet, the emails are notifying him that it is uoguelph accounts sending out spam messages, most oftentimes scams.
“Here’s one,” says Blain. “Hello, this is [Name withheld] of the 1st Battalion Scots Guard, but redeployed to Iraq, I am seeking your assistance to evacuate $12.7m to you,” Blain reads from his screen.
The email was sent from a uoguelph email address to AOL users.
“Clearly spam,” Blain says.
As manager of IT security, Blain is the University of Guelph’s last line of defence against a class of sophisticated international cyber criminals who prey on the naive, threaten personal security and tarnish the university’s reputation. They’re getting smarter and they’re not going away.
“It’s the worst it’s ever been,” he says.
Currently, the attackers are Nigerian entrepreneurs from Lagos. Sometimes it’s criminals from China or Brazil. Last week, an email was sent to a number of uoguelph accounts notifying users about a quarantine exercise being conducted by CCS. The message looked authentic: it said it was from the CCS Help Desk and had the university’s information at the bottom of the message.
But several things indicated it was a fraudulent email. CCS frequently reminds users that they will never ask them to reveal their passwords. Blain says this should be the biggest red flag of them all. Moreover, the message was sent from a Hotmail account.
The message was only one of many that make their way to various uoguelph accounts on a daily basis, all with the markings of a fraud.
For a cyber criminal, the lure of having access to a uoguelph account is the ability to send out hundreds of thousands of emails in a matter of a few hours.
“They want to use our resources. We have very powerful machines and a very large network connection,” says Blain. “Each one of these accounts is very powerful. Normally what [cyber criminals] would do in the past is compromise someone’s machine in their home. They might be able to get off a couple of thousand emails a day. The speed and capability we have means they can do a lot more damage.”
Before the holiday break, there was no limit on the number of emails that could be sent from uoguelph accounts. A uoguelph email account had the potential to send hundreds of thousands of spam emails in a couple of hours.
And on several occasions this is exactly what happened.
Since last weekend, at least 14 uoguelph users revealed their passwords, or fell prey to “phishing” as it’s know in the IT security world. According to Blain, messages are the most effective when there are real similarities with authentic CCS messages. The more sophisticated criminals sometime send links to uoguelph accounts, leading users to a replica of the uoguelph website where they are advised to reveal their credentials.
The spam emails sent from harvested uoguelph accounts are money scams. In the example of the soldier who found the $12 million, if someone was gullible enough to reply, Blain says the cyber criminal might then ask for a sign of good faith, perhaps a couple thousand dollars for something like an export license fee. An email was recently sent from a uoguelph account notifying Hotmail and AOL users that they won a Nokia Mobile contest prize of $10,000. For the cyber criminal, just one or two people getting duped by the emails make the scheme a success.
The consequences of this for a university can be severe. Last month, Hotmail blacklisted uoguelph accounts because of the hundreds of thousands of spam messages coming from uoguelph accounts. On one occasion uoguelph accounts were blacklisted by hotmail for 72 hours.
“It is a significant problem, I don’t know if I can quantify it, but it is a significant problem because a lot of students redirect their mail to their Hotmail accounts and we have a lot of suppliers and friends at the university, and other partners we have who use Hotmail and AOL,” says Michael Ridley, the chief information officer at the University of Guelph.
While the university’s Ironport system filters 97 per cent of emails coming to uoguelph accounts, Blain goes through hundreds of emails from AOL and Hotmail users on a daily basis who have tagged uoguelph emails messages as spam. When Blain comes across a uoguelph address sending out spam, he immediately locks it, meaning no messages can be sent from that address until he has consulted with the user.
“If over and over again we are getting complaints about our material being spam they [email providers] will say we are not a reputable site,” says Blain.
It was only after CCS made an agreement with hotmail to monitor spam alerts that uoguelph users were taken off the black list.
The recent decision to put a daily limit on the number of emails sent from a uoguelph account is a new way of dealing with the problem. Due to security concerns, Blain could not reveal the limit, but said there is a fine line, as some real uoguelph users need to send thousands of emails a day.
“We are trying to find that nice balance between not interrupting a good service, but not having a service so valuable that is so attractive to these spammers,” he says.
But the possibility of cyber criminals one day harvesting accounts to blackmail people, or use their access to account to search for financial information is another real concern; improving security is a continuous battle.
Cyber criminals can also find other ways to harvest accounts without asking for password information, and Ridley believes with the new limits on email, cyber criminals will now work laterally, using more accounts instead of going deeper into a single one.
“It’s a huge priority. In the last three years especially we have dramatically changed our stance on IT security, and largely because the attacks are more frequent and more vicious and more successfull, “ says Ridley. “Truly, the real breakthrough will be between people’s ears. It’s thinking about what they are doing and how they are compromising themselves and others.”