In the past month, people across the country have received spam originating from osu.edu e-mail addresses while the owners of the spam-generating accounts remain oblivious.
An e-mail phishing scam, which has been traced to Nigeria, has been targeting Ohio State webmail accounts. Six or seven different messages that appear to be from the OSU e-mail team have been sent to osu.edu addresses in the past month, asking users to respond with their usernames and passwords for “verification purposes” related to the recent e-mail migration.
“Someone was paying close attention to what was going on here,” said Cathy Bindewald, director of communications for the office of the Chief Information Officer. “They knew we were upgrading our e-mail system so they were playing off that and spoofing us.”
People who responded to the e-mail were actually sending their usernames and passwords to temporary Yahoo, Gmail or Hotmail accounts set up by e-mail scammers who then used the information to take over the e-mail account, in some circumstances changing the password and denying users access to both their e-mail accounts and other systems on campus, Bindewald said.
Although she is unsure how many people were solicited by the phishing scam, Bindewald said about 50 OSU webmail accounts have been taken over and used to distribute spam.
“We’ve identified about 50 of the affected accounts because they’re just spewing out spam,” Bindewald said. “They were sending out so much spam they were crashing the new webmail system.”
E-mails sent from OSU webmail accounts include some new-generation Nigerian spam, such as the “death awaits you” e-mail, where the recipient is told that “someone has paid me to kill you and I will do it unless you pay me more than the person who wants you dead,” Bindewald said. Other e-mails sent from osu.edu addresses were lottery scams originating from the United Kingdom.
“This whole process of accounts being taken over to generate spam is not new,” Charles Morrow-Jones, director of information technology security said. “But in the past it has been one or two accounts per month that have been affected. Now there has been a huge upswing because of people responding to these phishing scams.”
Most free e-mail providers have a limit to the number of outbound e-mails that can be sent in a certain period, Morrow-Jones said. OSU’s webmail does not have these restrictions which is why spammers want to take over the accounts.
“In some cases in the academic arena it is perfectly legitimate to send lots of e-mail, for example if you were doing a survey,” Morrow-Jones said, which is why OSU is not as stringent with its restrictions.
Morrow-Jones is not sure exactly how the phishing scammers gained access to the lists of osu.edu addresses, but said they were most likely bought from a spam mailing list.
“There are spam mailing lists that advertise pretty freely,” he said. “You can buy one million e-mail addresses for $20. Once you gain access to one of these lists, you can pull out all the osu.edu addresses.”
OSU’s office of information technology has been actively trying to mitigate the e-mail scams since they began, monitoring the traffic coming out of accounts and blocking access to accounts that appear to be generating spam.
“We had to cut off the accounts and passwords of the accounts that were generating masses of spam,” Bindewald said, adding people who have been blocked out of their accounts should go to the account management page and change their passwords or call (614)-688-HELP.
The limit to the amount of e-mails that can be sent from individual accounts has also been lowered, she said.
Attempts to trace the origins of the scam have been made but the process is very difficult, Morrow-Jones said.
“The moral of the story is protect your password like it’s gold.”
Briony Clare can be reached at [email protected].
