Last week, we sent several messages warning the community against a targeted malicious email attack against Emerson. A strange message with a link alleging to be related to payroll led to a website identical to eCommon. Nearly 50 users who provided their Emerson credentials to the website found their accounts hijacked, sending almost 70,000 malicious emails to Emerson community members and the general Internet.
Not only does this damage the reputation of the user who is compromised, it harms Emerson’s email reputation on the Internet and has added Emerson to some email blacklists. This can cause mail to your outside colleagues to be delayed or undelivered.
Once compromised Emerson accounts were sending spam to other Emerson accounts, we had to take additional steps to prevent the likelihood that these kinds of messages would successfully deliver. Email sent internally is largely unfiltered and trusted (with the exception of virus protection and malicious attachment blocking), so we are now internally blocking specific verbiage we have seen in the spam. We also block the malicious links from the Emerson network and we delete the harmful messages from Emerson mailboxes.
However, since many of our users are off-campus and/or forward their mail to personal accounts, these users will still be vulnerable to links and messages IT cannot block once they’ve successfully sent. For this reason, while we have seen a significant drop in compromised accounts since last week, we have continued to see one to two a day this week, as we continue to be targeted by this attack.
Until we have an extended period (several days) of NO compromised accounts, we will continue to struggle with this problem.
For this reason, we need every Emersonian with email access (especially those off-campus or forwarding) to be extremely vigilant. These messages are normally easy to spot. They contain:
- Bad grammar or syntax.
- Little to no context or description.
- A hyperlink with “Click here!” or “Sign in!” or “Important message!”
- Senders who you don’t recognize, or who would have no business sending a message like this.
- Off-branding – for instance, some messages are from “The ITS Helpdesk,” when we brand as the Emerson IT Help Desk.
- Check the URL in the address bar – is it an emerson.edu website? If it’s not, DON’T enter your credentials.
- Sometimes, malicious links will be disguised to look like emerson.edu links. Be safe and copy and paste the emerson.edu link into a web browser.
Remember – when you fall for a phishing scam, you have handed your password to a scam artist. Not only can it hurt your own reputation and Emerson’s, it can cause you to lose personal or college data to a thief. Ask yourself – with enough effort, what other harm could this person do to me by owning my college or personal usernames and passwords?
Emerson IT will continue to take proactive and reactive steps to prevent this kind of attack, but the Internet is an open space, and email can be especially vulnerable. Please take caution, browse our site at it.emerson.edu for more information, alerts, or to make a request (remember, copy and paste that link, don’t simply click it) and we will provide an update next week.