"Confirm Your Web Mail"
"Upgrade Your Account!"
These email subjects lines are ploys to get you, the user, to click on bogus links or disclose your username and password, giving the attacker a way to access your email account.
Phishing, as these attempts are called, is one of the most frequently used avenues for cyber attacks. Unwitting end users make phishing emails a favorite tactic of cyber criminals and a liability for most organizations. Across industries and companies, the number of phishing attacks increased 59% between 2011 and 2012, with global losses estimated at $1.5 billion in 2012, according to RSA's "The Year in Phishing, January 2013."
As you may have guessed, MIT's email users are not immune to phishing. Even with filtering and spam-blocking tools in place, some phishing messages still reach users' inboxes.
Two methods of attack are typically directed at MIT: the first is email that encourages users to disclose their MIT account credentials, either via a reply message or a forged website, enabling the attacker to use these credentials to send more spam; the second is email that tries to convince users to pay for something they don't want or need.
A Jump in Compromised Email Accounts
It's not entirely clear why phishing attacks have escalated, but whatever the reason, Information Services and Technology (IS&T) has seen an increase in compromised email accounts at MIT. Andrew Munchbach of IS&T's IT Security Services notes that there have been nearly 100 compromised MIT accounts over the past 30 days (starting in mid-August).
This is a substantial jump. According to Jacob Morzinski of the IS&T Accounts Team, "Usually we see maybe two compromised accounts per week. Now we're seeing more like twenty a week."
Falling for the Scams
Most of the compromised accounts seen in this period are a direct result of users responding to phishing emails, errantly thinking that they were from MIT or IS&T. "The emails are usually not that masterful at disguising themselves [as coming from MIT]," says Morzinski. "But people are either vulnerable at that moment — perhaps too busy to read the email thoroughly — or have heard of such things as email accounts reaching quotas, that then require some action on their part. They aren't sure, but they assume it's a legitimate email and don't take the time to verify this."
In addition, due to the security improvements to Kerberos passwords made this past summer, some users assume that MIT or IS&T will ask them to change their passwords. To be clear, IS&T may remind you to update your password if it hasn't been changed in a year, but will NEVER ask you to send your password in an email. You should never share your password with anyone. You can change your password online through the web page that first verifies your MIT identity.
When an MIT email account becomes compromised, a large amount of spam is often sent from those accounts by the attackers. Because this can cause issues for the Institute itself — such as being blacklisted for sending spam — the IT Security Team looks for unusual activity on MITnet. If it notices suspicious account behavior, it will notify the Accounts Team. "We suspend a compromised account until the owner of the account contacts the IS&T Help Desk to fix the problem," explains Morzinski.
Suspending an account prevents further fraudulent activity. The user is no longer able to log into their email account or send messages from their email client. The user is also unable to access other online services that use Kerberos tickets to verify their identity.
If you notice email problems (for example, you can't send mail or a large amount of email is being deleted) or think you've been a victim of phishing, your MIT account may be compromised. If you suspect this to be the case, contact the IS&T Help Desk immediately; a consultant there can help you recover from the problem, including retrieving any legitimate emails that may have been deleted.
The first recommendation IS&T may give you is to change and strengthen your Kerberos password, which protects the account. However, you should be aware that changing your Kerberos password does not instantly stop an attacker (if the attacker is still logged in to your web mail, they can still send email from the account). For this reason, suspension is often the best strategy to regain control of a compromised account.
Questions or Concerns
If you have questions or concerns about phishing or about your email account, contact the IS&T Help Desk at 617-253-1101, send email to firstname.lastname@example.org, or send a request online.