Account Compromise & Email Spam

Incident: Email account compromise and bulk mailing.

Summary: Starting in late August 2015, WITS was made aware that the account credentials of  a number of Willamette email accounts had been compromised. Subsequently an email spam campaign was launched at our community using data that was harvested from the compromised accounts.

There are two separate phases to this issue, which has caused some confusion among our account holders.

Part One, compromised accounts: Late in August 2015 Google began sending reports of suspicious logins to Willamette email accounts from foreign locations. This indicated that someone had access to these people’s usernames and passwords.  As soon as we began to get reports from Google about suspicious access attempts with those accounts, we changed the passwords (which effectively froze those accounts) and then notified the account holders so that they could create new passwords and have access to their accounts once again. Approximately 400 accounts were affected. The affected demographic was largely CLA upperclassmen and recent graduates & alumni.

Part Two, email spam: The next phase of the issue began with a deluge of spam messages over Labor Day weekend. The important thing you need to know is that the email spam was not physically being sent from the formerly compromised accounts but rather from non-Willamette URLs around the world. The perpetrators of the account hacks were using the contact lists they had harvested to craft emails, spoofing details so that any given spam message could look like it was ‘from’ anyone in the contact list in any of the compromised accounts. WITS started a campaign to actively block the messages as they came in. Every couple of days the messages would change and WITS would implement new blocking rules, but some messages always got through before the new rules caught up.

Where do we stand now?  As of mid September 2015, very few messages are getting through to people’s inboxes. All of the originally compromised accounts have been locked or reset and no significant new reports of compromises are coming in.

WITS is looking into all possible angles for how the accounts were compromised in the first place. We think that this happened sometime between October 2014 and April 2015. Nearly all the victims of the initial compromise were students during that time. It is unclear if there was a WU system that was vulnerable to any kind of computer-based attack during that time, or how exactly the account information was accessed. Most likely the perpetrators obtained a list of gmail accounts and the encrypted passwords to go along with them. The majority of the victims had short (7 or 8 character) passwords. The combination of short passwords and ample time to crack them likely was what caused the incident this fall.

Recommendations to the community: This incident serves as a launching point to educate our constituency for more secure practices for email and other online resources. Currently our recommendations to everyone include:

  1. Make a more secure password for your email: Complexity is not enough, password length is its strongest attribute. WITS recommends you make your password at least 12 characters long.

  2. Google’s two-step verification: this virtually guarantees that no other computers or devices can access an email account without explicit authorization, even if  a password is compromised. Read up on it here if you want to know more about how it works. https://www.google.com/landing/2step/

  3. Do not reuse passwords: Using your  Willamette email being used other services (Facebook, bank accounts, etc.) is very dangerous. Once perpetrators have access to one password it is easy to use that to access other sensitive accounts.

Moving forward: WITS will be continuing to push identity management and security education. Expect some more official policy regarding account security coming out of the University as well.

We are not alone: There are reports from at least 10 other universities we’ve seen that have symptoms nearly identical to ours. Willamette was not a specific target; any areas of concentrated populations and heavy email use are tempting targets to cybercriminals.

Keep an eye on your email; WITS will send campus-wide messages if there is additional important information for the community. If you have more questions, please contact the WITS Help Desk (503-370-6767,wits@willamette.edu) or your user services consultant.