Strategies To Avoid Falling Victim to Spear Phishing Attempts

Like many other academic institutions, SF State has been recently targeted in a series of spear phishing attempts. While new technology is being evaluated to detect and prevent these attacks, the following guidelines are suggested for you to recognize and avoid falling victim to spear phishing attempts:

What is phishing?
Phishing is an attempt to fraudulently acquire sensitive information by masquerading as a legitimate or trustworthy entity, in an electronic communication. Phishing has been typically carried out by email (and therefore is a variant of spam) or instant messaging and may also direct users to fraudulent websites to gather additional information. Spear phishing is usually highly targeted an individual communities of users.

An excellent background on phishing - its history and its ongoing evolution, is available at Wikipedia here

Recognize that Caller Id, Text Messaging Id, and Email “From/Reply To” Addresses Can All Be Forged

• Caller id, text messages & email “From” addresses can all be forged- therefore you unfortunately cannot trust them alone as a source of verification or as a valid “reply to” address within an email message. The SFSU HelpDesk will not contact you first this way unless you have already contacted them and will never ask you for sensitive data via email.

Don’t Respond to Mail You Suspect As Spam or Phishing Attempts

• As is indicated above, the reply address is often forged, stolen or created for the purposes of sending spam. Replying only indicates your email address is valid.

Use Browsers That Are "Phisher" Aware

• As a result of the large volume of attacks against PayPal, EBay and online banking users over the past 3 years, security enhancements have been added to many of the popular web browsers. Internet Explorer 7, Firefox 2.0 and Opera 9.x all have implemented various anti-phishing measures. Turn these features on; this will significantly limit the probability that you are redirected to a fraudulent URL within an email message.

Look At How You Manage Ids & Passwords Across Web Sites Internal & External to SFSU

• If you keep your id and password the same on several systems, and you revealed your id & password in this last phishing attempt, consider changing at least your password across all the sites you visit. Phishers are reportedly now using the fact that many people use the same id and password across many of the web interfaces they access (campus, bank, social networking site, etc.) and targeting you at a location you may be more casual in sharing information (such as the campus environment) rather than via a bank communication where you guard may be higher.

Put time on your side.

• Malicious messages commonly use threats (such as your email being turned off, etc) to force you to act quickly without thinking. Instead use your time to verify the source of the message if it asks for personal information about you.

Think About Information You Have Posted On Other Websites

• The industry is seeing a large volume of “blended” and multi-vector attacks meaning that scammers are attempting to extract sensitive information from multiple sources. If posting your email brings you no real benefit on another site, consider whether it really needs to be public and activate any private sharing features the sites provide.

Phishing Article, Xpress

I've recently done some interviews with the SFSU XPress newspaper on the recent spear phishing activity targeted at campus members. Unfortunately, the very little content from either of those interviews were published by the editors at Xpress and I was instead frequently quoted as "having no comment" which was not the case....

Here is the original interview with Doug Morino and some content that I think will be useful to students and staff wanting to limit the success and impact of spear phishing or any type of social engineering targeted towards them:


Have you had a problem like this in the past?

Not at SFSU, but Stanford and other academic institutions have been reporting this activity for a couple of years now. It has been hitting academic centers recently very hard because of their large populations using social networking tools that in turn offer perpetrators easy information and common "locales" that they can target subjects en masse.


How do SF State students e-mail accounts fall victim to hackers?

Much like any other site that is targeted. Either their email is:

• public-domain available (posted for professional or personal reasons on another website like Educause or Facebook, for instance.)
• can be derived using common naming conventions at an academic center
• can be derived using name dictionaries and common email addresses in use within an academic environment (helpdesk@sfsu, student-news@sfsu.edu , etc.)

Has the university found a source for the emails?

Indirectly yes; we know they came from compromised accounts on the Yahoo European domains. The volume of this type of activity is so high "in the wild" however, that we suspect we will be unlikely to find the exact perpetrators. Currently the majority of these attacks are coming from Russia, China, Romania and Brazil. However, this means the originating or transiting/forwarding systems were more likely to be compromised there, not necessarily that the hackers physically reside or are necessarily from those countries. In most cases they have taken over the resources of another entity to send out more spam and spear phishing attempts. This was part of their objective at SFSU.

How many students and faculty members have been targeted?

These attacks were in waves, each with a new message crafted using information from bounced messages as well as replies to then draft subsequent variants. In a practical sense, anyone with a userid on the sfsu.edu domain was and is a target. Many of these ids were harvested off social networking websites, public websites where staff, faculty or students may post or otherwise display their email for personal or professional reasons. Others were generated using dictionary type attacks which generate a number of variants using email naming conventions. Conservatively, we can probably estimate about 50,000 were or are targets.



How did the perpetrators get a hold of students and faculty info?

Please see answer above regarding how email accounts and sites are targeted. Dictionary like attacks based on userid naming conventions as well as public website postings of email messages and cookie harvesting are common ways to get ids.


Have you heard from other universities about the problem?

Yes. Several regional universities also have the same technology we have in place from CISCO but there has been unfortunately a large increase in phishing traffic that the security solution vendors such as CISCO have been having difficulty stopping with their current signature databases.


If so, what are they doing to combat it?

Like SFSU, currently pressuring vendors to enhance their products to better meet the needs of academic environments which have been traditionally ignored because prior attacks have focused on banks and other online communities like EBay. Hence, this has likewise been the focus of security vendors and they are a bit behind the curve, so to speak in understanding the signatures of messages targeted for academic environments.


What specifically is SFSU doing to combat this?

We are working with vendors developing some of the next generation technologies like machine learning, domain signing and network forensics which help to better catch these messages in the first place (so that they would ideally never be seen) as well as better track perpetrators or monitor their overall behavior and try to determine what they are really up to. Budget cuts are significantly impacting out ability to deploy these new technologies but we continue to work with the vendors to evaluate and help them refine the products to meet our environment's unique needs.


What can students do to insure their online safety?

Please see the guidance in my next post


What can they do if they've fallen victim and supplied personal information?

Please see the guidance in my next post


What are your personal thoughts on the "phishing" problem?

I think it is an unfortunate waste of people's time and a real drag to the online experience, which is why technology that does a better job of catching these messages in the first place is a strong desire of mine. We are unfortunately seeing significant increases in multi-vector attacks meaning that the techniques and sources are coming via multiple communication mediums such as email, web, forged caller-id, etc. Many attacks are spanning multiple webservices or Web 2.0 platforms. This further degrades the web experience and "trust" we have in these sites and communities.