Spam Attacks Against University of Pennsylvania

University of Pennsylvania (Penn) has been the target of the latest series of spam mails attacks called phishing scam. The e-mails imitate the authentic messages from the university to acquire details of personal account from users.

Vice Dean of Administration and Finance of School of Arts and Sciences, Ramin Sadehi said that spam attack occurs in series at universities nationwide, but this wave is very sophistcated as it is customized, maximizing the chances that the user can be deceived easily, as reported by dailypennsylvanian on August 7, 2008.

It was at the end of July 2008 when messages started attacking Penn's radar, affecting all the users having "upenn.edu" accounts. They make use of varied senders and subject lines like "Message from Upenn.Edu" and "Help Desk Notice". They ask users to respond with the details of their account number and password to upgrade the mail system. The mails also carry an alert the users not replying to the mail will have their accounts blocked.

Further, the hackers accessed a mail account of the university to send several spam mails, blocking the system and forcing the users to wait at least for 5 minutes to send or receive mail.

Also, it is very tough to trace the origin of the messages, as they appear to have come from Penn's system. The university also claimed that there is no proper number as how many users have replied, but all it requires is just one mail to propagate the scam.

Unfortunately, once inside an account, hackers can change the content and also send messages on behalf of the user, which appears more real as they make use of the user's contact and also imitate earlier sent material. Also, ID theft can be safely called as an extension of phishing as it offers details of the user.

The university also admitted that the spam filters of Penn are not developed enough to detect these kinds of phishing scams, as the forged addresses are read as authentic. But the University's Information Security Operation team is taking measures to restrict phishing mail and sites. They also recommended that users should not divulge their password because it is only on the basis of the passwords that these scams functions. The users also told to send any mails which they consider phishy as attachments to the information security team.

Related article: Spam Scam Bags a Scottish Connection

» SPAMfighter News - 8/22/2008