OIT warns of malicious emails sent to students and faculty members in scam

Last Thursday, approximately 1,000 to 2,000 malicious emails were sent out to the University community in an attempt to access and collect personal information from both students and faculty members, according to Princeton’s Office of Information Technology.

The email, which appeared to have been sent from a University WebMail account, informed targeted students and faculty that recipients were required to confirm their netIDs and passwords before continuing to use their accounts.

The message included a link that redirected students to a site that looked as if it were affiliated with the University. The site was actually a log-in page that was designed by a Brazilian domain.

Once the owners of the Brazilian phishing site obtained the netIDs and passwords, they could then impersonate the email account and send messages. Director of OIT Support Services Steven Sather noted that this possibility was particularly dangerous for faculty members because it would allow the culprits to establish false credentials.

Sather explained that these attacks have become “more personalized” over time.

“It’s clear that the perpetrators did their homework,” Sather said. “The original link looked like a Princeton URL, and they used many of the same graphics that appear on Princeton sites.”

Sather noted that the primary incentive for the scheme was money.

“We use the same usernames and passwords for not only our email accounts but also Princeton’s financial system, PeopleSoft,” Sather explained. “This would allow the perpetrators to spend money that belongs to the University.”

Several staff members at OIT, including Sather, personally received this email Thursday morning, and within 10 to 15 minutes the office blocked on-campus access to the website. OIT immediately posted an online alert and first contacted departments that rely on computing needs.

Cara Liuzzi ’12, who received the email while on campus, said she clicked on the link “without really thinking,” but because of OIT’s prompt response, she said she was unable to access the site.

However, OIT could not block the site for students who were off-campus at the time. While the reason behind the timing of the email is unknown, Sather said the perpetrators might have known that students were on spring break.

OIT proceeded to have USG president Bruce Easop ’13 alert undergraduates about the email scam. Sather felt this means of communication was effective because the student government “adds credibility.”

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

“OIT generally tries to go through student leaders on campus,” Easop said. “Students often feel comfortable asking questions to another student, and I was able to help clarify any confusion that students had.”

Sather said that situations like this have occurred before not only at Princeton but also at peer institutions, such as Stanford, University of Chicago and Harvard.

“We have been working at being able to block anything similar in the future,” Sather said, noting that one of OIT’s primary methods involves quarantining links using Proofpoint, a system designed to pinpoint junk mail.

Proofpoint did not identify the Brazilian email as spam for some members of the University community. Some students cite certain flaws with Proofpoint in general.

“I have the utmost respect for OIT and the work they do. They have always been prompt to fix problems,” Jonathan Frankle ’15 said. However, Frankle noted that Proofpoint has only blocked two emails from reaching his inbox over the course of this academic year. One email was from a fellow Princeton student while the other was an important message from the Google Scholarship Program.

Sather explained that Proofpoint is one of the best systems available. “If there was something better out there, we’d use it,” he said.

Sather also noted that one of OIT’s continuing goals is to teach the University community to be vigilant about such emails and to make individuals aware that nobody at Princeton will ever ask them to verify a username or password.

“As our ways of detecting these things become more sophisticated, these perpetrators become more sophisticated as well,” Sather said. “Their job is to make [their emails] seem as real as possible.”

Sather is advising the University community to be more conscious of potential scams in the future.

“Be leery,” Sather said. “Obviously your mom wouldn’t ask you for your credit card number over your Gmail account.”