Phishing Article, Xpress

I've recently done some interviews with the SFSU XPress newspaper on the recent spear phishing activity targeted at campus members. Unfortunately, the very little content from either of those interviews were published by the editors at Xpress and I was instead frequently quoted as "having no comment" which was not the case....

Here is the original interview with Doug Morino and some content that I think will be useful to students and staff wanting to limit the success and impact of spear phishing or any type of social engineering targeted towards them:


Have you had a problem like this in the past?

Not at SFSU, but Stanford and other academic institutions have been reporting this activity for a couple of years now. It has been hitting academic centers recently very hard because of their large populations using social networking tools that in turn offer perpetrators easy information and common "locales" that they can target subjects en masse.


How do SF State students e-mail accounts fall victim to hackers?

Much like any other site that is targeted. Either their email is:

• public-domain available (posted for professional or personal reasons on another website like Educause or Facebook, for instance.)
• can be derived using common naming conventions at an academic center
• can be derived using name dictionaries and common email addresses in use within an academic environment (helpdesk@sfsu, student-news@sfsu.edu , etc.)

Has the university found a source for the emails?

Indirectly yes; we know they came from compromised accounts on the Yahoo European domains. The volume of this type of activity is so high "in the wild" however, that we suspect we will be unlikely to find the exact perpetrators. Currently the majority of these attacks are coming from Russia, China, Romania and Brazil. However, this means the originating or transiting/forwarding systems were more likely to be compromised there, not necessarily that the hackers physically reside or are necessarily from those countries. In most cases they have taken over the resources of another entity to send out more spam and spear phishing attempts. This was part of their objective at SFSU.

How many students and faculty members have been targeted?

These attacks were in waves, each with a new message crafted using information from bounced messages as well as replies to then draft subsequent variants. In a practical sense, anyone with a userid on the sfsu.edu domain was and is a target. Many of these ids were harvested off social networking websites, public websites where staff, faculty or students may post or otherwise display their email for personal or professional reasons. Others were generated using dictionary type attacks which generate a number of variants using email naming conventions. Conservatively, we can probably estimate about 50,000 were or are targets.



How did the perpetrators get a hold of students and faculty info?

Please see answer above regarding how email accounts and sites are targeted. Dictionary like attacks based on userid naming conventions as well as public website postings of email messages and cookie harvesting are common ways to get ids.


Have you heard from other universities about the problem?

Yes. Several regional universities also have the same technology we have in place from CISCO but there has been unfortunately a large increase in phishing traffic that the security solution vendors such as CISCO have been having difficulty stopping with their current signature databases.


If so, what are they doing to combat it?

Like SFSU, currently pressuring vendors to enhance their products to better meet the needs of academic environments which have been traditionally ignored because prior attacks have focused on banks and other online communities like EBay. Hence, this has likewise been the focus of security vendors and they are a bit behind the curve, so to speak in understanding the signatures of messages targeted for academic environments.


What specifically is SFSU doing to combat this?

We are working with vendors developing some of the next generation technologies like machine learning, domain signing and network forensics which help to better catch these messages in the first place (so that they would ideally never be seen) as well as better track perpetrators or monitor their overall behavior and try to determine what they are really up to. Budget cuts are significantly impacting out ability to deploy these new technologies but we continue to work with the vendors to evaluate and help them refine the products to meet our environment's unique needs.


What can students do to insure their online safety?

Please see the guidance in my next post


What can they do if they've fallen victim and supplied personal information?

Please see the guidance in my next post


What are your personal thoughts on the "phishing" problem?

I think it is an unfortunate waste of people's time and a real drag to the online experience, which is why technology that does a better job of catching these messages in the first place is a strong desire of mine. We are unfortunately seeing significant increases in multi-vector attacks meaning that the techniques and sources are coming via multiple communication mediums such as email, web, forged caller-id, etc. Many attacks are spanning multiple webservices or Web 2.0 platforms. This further degrades the web experience and "trust" we have in these sites and communities.