You are viewing this article in the AnnArbor.com archives. For the latest breaking news and updates in Ann Arbor and the surrounding area, see MLive.com/ann-arbor
Posted on Wed, Aug 14, 2013 : 1:35 p.m.

University of Michigan warns against email scams as some direct deposit accounts are compromised

By Kellie Woodhouse

University of Michigan is experiencing a newly sophisticated type of cyber attack: An email scam that attempts to get employees' passwords, gain access to their personal information and redirect their direct deposits.

Military Cyberdefense_Wood.jpg

University of Michigan is warning employees to be careful of email phishing scams.

AP photo

The school is no stranger to phishing attempts. Employees receive several spear phishing attempts —in which scammers impersonate an institution, in this case U-M, in an effort to get victims to offer up sensitive information— each month. For example U-M has recorded six wide-scale phishing attempts already this month and more than 60 since January.

However, in past scams perpetrators haven't taken advantage of the information gleaned to manipulate an employee's direct deposit account. Attempts are also becoming more convincing.

In recent weeks multiple U-M employees have had their direct deposit accounts changed, although U-M was able to recover all the funds.

"That's an activity that we haven't seen before," said U-M chief security officer Paul Howell. "It wasn't always the case that the information was being used."

The school estimates less than 10 people who fell prey to the phishing attempts had their direct deposit access manipulated. All together, less than 50 people have offered up their personal information or passwords to scammers in recent weeks.

Successful attempts can disclose passwords, which can leave vulnerable an employee's U-M account and all the information held within it, putting them at risk for identity theft. If a victim uses the password for other accounts, those accounts can be breached as well.

"The defenses against these things are very difficult," Howell said.

The phishing attempts range in sophistication and believability. For example, an attempt on August 13 had the subject line "NOTIFICATION !!!," but others have had subject lines like "Letter From University of Michigan" and have signed off saying "The Regents of the University of Michigan."

Some have linked to webpages —on which the perpetrator instructs the victim to enter their password— that don't look at all like a U-M interface, while other webpages have been very convincing.

An email that convinced several U-M employees to offer up personal information is transcribed below:

Date: Tuesday, August 06, 2013 Subject: Letter From University of Michigan

Dear User,

Your account profile will expire today.

Kindly Click Here [LINK REMOVED] to validate.

Sincerely, University of Michigan

All rights reserved. Copyright © 2013 University of Michigan

U-M has firewalls and filters in place to detect email scam, but with perpetrators constantly honing their attempts, phishing can be difficult to thwart.

"They're getting more sophisticated," U-M Police Department spokeswoman Diane Brown said of the hackers. "[We] make patches to try to stop them but the perpetrators find another unique way to make it look more legit and it passes through filters."

U-M is trying to educate its workers on how to avoid phishing attempts and differentiate scam emails from legitimate U-M ones. Brown stressed the importance of not using the same password for multiple accounts and regularly checking direct deposit and payroll information.

The school cautions employees to beware of emails that have a sense of urgency and use terms like "validate," "verify" and "update your account." Employees are cautioned to look at URLs included in emails to see if they match the umich.edu platform. Also, when entering a password letters should be hidden after entered. If they're not, that's a sign something could be amiss.

Below is a U-M-produced video on avoiding phishing attempts.

Kellie Woodhouse covers higher education for AnnArbor.com. Reach her at kelliewoodhouse@annarbor.com or 734-623-4602 and follow her on twitter.

Comments

intellcity

Thu, Aug 15, 2013 : 3:33 a.m.

Just don't be lazy and click on links in emails, even from friends. They may not actually be from the friend. Most legitimate organizations do not request info through the internet. They already have it. The bad guys are getting better at being bad. A modern computer operating system has over 10,000,000 lines of code (some even over 50M?) and somewhere someone is going through them looking for an opportunity for mischief. The same goes for browsers that connect you to the internet. Anything can be faked. It takes a while for the anti-scam, anti-virus, anti-phishing gurus to catch up and create a solution. Visa got chopped into (hacked?) and lots of account numbers were compromised. The UMCU cards were among these. They notified us my email but new cards and passwords came via USPS. No one asked us to verify account numbers, passwords or update anything over the internet but you can be sure there were some people who were. Don't get in a rush to do the quick fix for the financial problem while dinner is in the microwave. And go through your statements and verify all the bills and transfers etc. You usually have a short window to notify the bank or card issuer and have a chance to get your money back. But if you have a lot of money and want to invest in legitimate gas exploration leases let me know.

Tru2Blu76

Thu, Aug 15, 2013 : 12:29 a.m.

Nice presentation. It's interesting because this is one of the rare times I've seen quality advice on security of any kind on AnnArbor.com's website. Why is it that quality information on personal / physical security is not provided frequently. Examine the frequency of stories about robberies, rapes, assaults and murders on this (and many news sites) and then try to find expert guidance on how to avoid such tragedies. OTH, it's seldom we hear about the crimes described in this article - but they are often accompanied by such expert advice as that which is provided by U of M for this story. Odd, isn't it? Also, when there are calls for advice on that "other topic" (physical security) or when there is advice or at least reference to good security sources - those posts and articles get a lot of thumbs down votes. And comment's like, "That's paranoid," "Too much trouble" and "No one can possibly be that skilled" are common. Lets ask Sheriff Jerry Clayton and Mayor John Hieftje how they fend off attackers. Maybe we can learn from their "techniques." Or we could even interview President Obama to learn his methods of keeping himself and his family safe. After all, these men all talk with 100% assurance about how we should defend ourselves. ;-)

ThinkingOne

Thu, Aug 15, 2013 : 12:05 a.m.

One thing I always do when anything looks the least bit suspicious, is hover over the 'sent from' or 'sender' address while it is still unopened in the inbox. The listed name showing may be something that sounds authentic, but when you hover you may wee see something with about 35 letters in it that makes no sense. This usually indicates it is just a made-up sending address. Often when one of these fakes is shut down, another random address is generated. Here is one of my favorites that I get with some frequency (although the hover-address may vary): Sender is: Fidelity Life Subject is an offer for a term life-insurance policy. The actual sent-from address that is displayed when hovering: cg1jhbnt (at) xzxq7u3 . dyscrosp . net (NOTE: the (at) and the spaces were to prevent this from showing up as an actual link. The address had the proper formatting.) I did not open it, but I am sure that if I did they would probably offer me a great quote if I only gave them some information...

Kai Petainen

Wed, Aug 14, 2013 : 10:53 p.m.

a while ago, my identity was stolen ... they used a PayPal mobile device at a Home Depot and tried getting $8,000 worth of $200 gift certificates. You can read about it here: http://tinyurl.com/8mrpw4f "An individual walks into a Home Depot, configures his cellphone to use PayPal and uses it to buy nearly $8,000 worth of $200 gift certificates. What's the problem? It was my PayPal account and it wasn't me – I was a victim of identity theft."

1bit

Wed, Aug 14, 2013 : 10:46 p.m.

Hello, friends. I am okay after being mugged in Mexico City. Unfortunately, they stole my money, passport and plane tickets. The criminals are also holding hostage my pet Chihuahua, Fifi. Please please, I need your help and ask that you wire me money ASAP.

1bit

Wed, Aug 14, 2013 : 10:43 p.m.

I am a wealthy Nigerian businessman and would like to help these people. I will gladly transfer the sum of US $35,000,000.00 (35 million) dollars to the account of someone on this forum. Unfortunately, most of my money is tied up by villainous gangs and it is not safe for me to transport the money. If one of you is so kind to provide your bank account information, I will wire the money to you as long as you promise to transfer it back to me upon my arrival in the U.S. In exchange, I will give you 10% of the above sum.

Dug Song

Wed, Aug 14, 2013 : 9:19 p.m.

Duo Security solves this problem for other universities like MIT, U. Texas, U. Chicago, U. Illinois; 3 of the 5 largest social networks; 150 online banks, etc. Watch our simple cartoon to see how :-) https://www.duosecurity.com/why-two-factor BTW, we're just down the block from Zingermans, and are actively hiring! http://jobs.duosecurity.com/

Jaime Magiera

Thu, Aug 15, 2013 : 2:23 a.m.

Dug is a highly respected, innovative and entrepreneurial security researcher. It's not ambulance chasing as much as it is providing some context to a serious situation and pointing to a solution to the problem - and asking interested people to join him in the cause.

relaxedandunafraid

Wed, Aug 14, 2013 : 11:55 p.m.

Interesting marketing approach - I believe it's often referred to as ambulance chasing. Just take a deep breath and relax, if you have a good product the customers will come.

1bit

Wed, Aug 14, 2013 : 10:49 p.m.

You can already trick people with social engineering to get the information you want, even with relatively unsophisticated attacks. Two-factor authentication can be similarly defeated by clever people.

JRW

Wed, Aug 14, 2013 : 7:59 p.m.

Always check the address used to send the emails. Don't open them unless they are from umich.com. You can look at the full header without opening the email. Also, just hover your cursor over the address and you will see the address displayed. Don't open any email that is not from an authentic umich.com address.

justaposter

Wed, Aug 14, 2013 : 8:55 p.m.

Except that umich.com is not UM's url. It's umich.edu :)

Kellie Woodhouse

Wed, Aug 14, 2013 : 8:37 p.m.

Yes, great point.

blue85

Wed, Aug 14, 2013 : 7:47 p.m.

" Employees are cautioned to look at URLs included in emails to see if they match the umich.edu platform. " When looking at the URL, it is useful to look for the "padlock" symbol...the padlock symbol MAY be an indication that what goes on behind the padlock is secured...in conjunction with a proper URL, this MAY indicate that the interaction is protected. <== I don't k now if I am right, hence the qualifiers, but if I am correct, it would be an additional refinement, beyond the mere URL, to look for.

Jaime Magiera

Wed, Aug 14, 2013 : 8:10 p.m.

The padlock is indicative of the website using Secure Sockets Layer (SSL). This is the "https://" you see at the beginning of the URL. The padlock specifically means "this website uses a SSL security certificate that has been verified". It should be noted however that just because a website has a valid certificate doesn't mean it is always safe. The certificate may have been gotten by nefarious characters. These days, SSL is not always safe itself. For example, a gentleman named Moxie Marlinspike, who I've interviewed before, designed several software tools that can be used to circumvent SSL (he did it for demonstration purposes so that SSL could be improved). The best bet is not not click on the link at all and instead to to the main website of the organization and navigate to the particular resource. Alternately, you can call the help desk of the organization.

Kellie Woodhouse

Wed, Aug 14, 2013 : 7:59 p.m.

Nice tip!

Sawchuk

Wed, Aug 14, 2013 : 7:25 p.m.

Kellie; my golden rule is 'don't open', or at least 'don't answer' any email asking a question, personal information, or for money. If it honestly looks to be legit, I always call my institution, etc., or stop by. To my belief, personal information (id's, passwords, bank accounts) can not be compromised on your computer without your assistance (I hope).

Anthony

Thu, Aug 15, 2013 : 3:38 a.m.

Not to mention all the data that the fed's are constantly collecting on everyone. The instant you digitize information it becomes insecure. By harvesting information from its own citizens, the gov't has effectively created a huge target for potential future hacks, and trust me, they will happen.

Justin

Wed, Aug 14, 2013 : 8:14 p.m.

That is a good golden rule. There is such a thing as a healthy dose of paranoia. There are many ways that personal information can be compromised without your active participation, however. The sad truth is nobody can be 100% safe 100% of the time. You can only use your head and take steps to minimize your risk. Any time you use a credit card, for instance, any number of other people are granted access to those numbers for some period of time (and everyone has a camera phone these days). Unless you have a secure mailbox, any time you receive identifying information in postal mail, an unscrupulous neighbor could swipe it while you aren't looking (e.g. mail with SSNs from the IRS or SSA, not to mention all the credit card spam that comes in postal mail). If you have a network at home that is not properly secured, malicious 3rd parties could eavesdrop on everything you send over the network that is not encrypted. If you do not keep your computer updated with security patches, it could potentially be exploited any number of ways by malicious people. And so on, and so on. In this day and age, the only way to combat the sorts of people who perpetrate these crimes is to be rather paranoid and vigilant with personal information at all times. But doing this can only minimize risk; it can never eliminate it entirely.

Kellie Woodhouse

Wed, Aug 14, 2013 : 7:42 p.m.

Sounds like a good rule.

Pizzicato

Wed, Aug 14, 2013 : 7:06 p.m.

So not a new type of attack, just more convincing versions of the same old ones.

Kellie Woodhouse

Wed, Aug 14, 2013 : 8:39 p.m.

Another great tip. I'm going to start adopting it. Because my email is so public I get dozens go phishing attempts a week.

Pizzicato

Wed, Aug 14, 2013 : 8:02 p.m.

Kellie- The key for people - the single most important thing to look for that's usually a dead giveaway - is to hover over a link that's provided. Your browser will display the link you're about to click on in the status bar. If you think you're going to "https://www.tiaa-cref.org", but instead you see "http://www.RipYouOffFromRussia.rus" in your status bar, then you're probably about to get phished. The "https" is the first dead giveaway (that indicates a secure http website), the rest of the address should be the clincher.

Kellie Woodhouse

Wed, Aug 14, 2013 : 7:42 p.m.

And it appears more or different follow through once information is obtained.

Dan Patterson

Wed, Aug 14, 2013 : 6:20 p.m.

In my experience, any email with the word "Kindly" is probably not authentic and shouldn't pass through the filters. Only place I ever see that word used is in phishing emails.

A2comments

Wed, Aug 14, 2013 : 6:25 p.m.

Like in "Dan, yesterday I bumped into your kindly old grandmother downtown"?

Jaime Magiera

Wed, Aug 14, 2013 : 6:08 p.m.

Just because someone sends a phishing attempt, doesn't mean they are a "hacker". That's a loaded term thrown about far too much these days. Hacking is a philosophy in regards to exploring technology. These people sending the phishing attempts are "criminals".

Jaime Magiera

Wed, Aug 14, 2013 : 8:59 p.m.

Why? The original use of the name was not nefarious. Instead, the media should stop throwing around the word "hacker".

Solitude

Wed, Aug 14, 2013 : 8:23 p.m.

Blue85, you summed it up best. I am aware the word has been appropriated by those who "hack" for a higher cause. I would argue they should have come up with a different name.

Jaime Magiera

Wed, Aug 14, 2013 : 8:04 p.m.

Solitude, as a member of the hacking community, I can tell you that your perception is incorrect. The word "hacker" originated at MIT, when users of the monolithic computer systems found ways to manipulate the machines in ways not intended. Hacking is a culture based around exploring and manipulating technology. There are conferences, magazines, websites, radio shows, chat rooms, etc. all based around those concepts. Only a small number of hackers do nefarious things with their knowledge. (I've had articles published in hacker magazines, am a speaker at hacker conferences and host a radio show on technology which includes hacking topics.). I encourage you to do a little bit of exploration on what hacking really means. Check out 2600 magazine (http://www.2600.com). You can also attend any of the *public* hacker meetings on the first Friday of every month. The Ann Arbor meeting is at the Starbucks on South University. The problem with labeling everything hacking, and everyone who hacks as evil, is that it does a disservice to those who work hard to push the boundaries of technology. Their work is important. It helps improve security and ensure that our rights are not trampled in the ever-increasing technological landscape.

blue85

Wed, Aug 14, 2013 : 7:48 p.m.

It might be useful to make the "white hat" versus "black hat" distinction. Some people are paid to hack in order to identify and lead to the repair of system weaknesses.

Solitude

Wed, Aug 14, 2013 : 6:40 p.m.

I would agree that phishing isn't necessarily an attempt at hacking, however.

Solitude

Wed, Aug 14, 2013 : 6:37 p.m.

"Hacking" is seeking and exploiting unauthorized access to a computer system. Hacking is no more a technological "exploration" or philosophy than graffiti is art or stealing copper pipes is "scrapping."

Jaime Magiera

Wed, Aug 14, 2013 : 6:06 p.m.

"U-M-procued" probably should be fixed as well

julieswhimsies

Thu, Aug 15, 2013 : 6:47 a.m.

I agree. However, this young woman is getting paid to blog. My advice: Proofread, proofread, proofread!

Blue Dog Red

Wed, Aug 14, 2013 : 10:52 p.m.

how about fixing "breeched" while you are at it? :)

Jaime Magiera

Wed, Aug 14, 2013 : 9:05 p.m.

In fairness to Kellie, after viewing a piece of text over and over while working on it, it's easy to pass over simple mistakes. The brain eventually integrates everything into a big jumbled blob. Sometimes it's best to step away from a piece of writing for an hour or two and come back to it. The brain resets itself and the mistakes come back to the foreground.

Kellie Woodhouse

Wed, Aug 14, 2013 : 6:12 p.m.

bah. Thank you.

a2xarob

Wed, Aug 14, 2013 : 5:53 p.m.

Scary. But it is "fell prey." Prey is a victim. Pray is, well you know.

Julie Baker

Wed, Aug 14, 2013 : 5:56 p.m.

Thanks, that's fixed.