Vigilance is the most powerful weapon employees wield in thwarting the recent spate of "phishing" emails targeting U. of I. computers, say leaders at Campus Information Technologies and Educational Services.
"We're asking everyone to be more savvy digital citizens," said Mike Corn, the campus's chief privacy and security officer and university chief information security officer.
"There is a body of miscreants out there on the Internet and they've gotten very good at convincing people to give out their private information. We're asking everyone to stop and think a little bit when they look at their email," Corn said.
Phishing is just what it sounds like: A dubious URL address throws out a line (in the form of an official-looking email) hoping the receiver bites by clicking on the link and providing a user name and password.
In many of the U. of I. cases, employees will receive an email, complete with university logos and markings, which says the employee's login and password have expired. Even the link destination has an official-looking webmail interface that can further lure someone into providing password information.
If the information is supplied, the infected email will replicate itself and send out requests seeking protected information from other email accounts. Ostensibly the same information could be used to access more sensitive data, though Corn said there has been no indication of a data breach to date.
There was an increase in attacks starting in February, and a spike last week prompted Greg Gulick, the deputy CIO and executive director of CITES operations, to send a March 28 campuswide massmail warning students, and faculty and staff members that some outgoing university email was being blocked by spam-reporting services from around the world.
Those agencies in essence initiated a virtual worldwide Web quarantine process, blocking for their subscribers a significant amount of illinois.edu email based on the number of spam reports that had become associated with the address.
"For the last week, some email sent from the campus is being rejected by other universities and private companies," Gulick said. "This means that emails sent from an illinois.edu address to schools and companies using these spam-control services will not reach their intended recipients."
Corn said the university has an effective anti-spam system that deletes or quarantines millions of emails daily, and that CITES regularly monitors outgoing emails to detect a determined threshold of email replication. The system sounds an alarm when an infection is detected.
"There are no visible signs of an infection that we can detect until the mail goes out," he said.
While defending against ever-changing malicious content delivery methods is a "virtual game of Whac-A-Mole," Corn said there are ways employees can help protect themselves - and the university.
Should an employee receive a suspicious email asking them to login to change your password or to update an account, don't click on any link in the email. Corn suggests either going to the CITES website and clicking on the "reset your password link under "Services and Info," or changing it in person at the Help Desk.
"If you're not paying attention, you can miss it," he said of the cleverly crafted fake emails. "We need everyone to be extra cautious because it's a risk to data, it's a risk to our reputation and it's lost productivity. We take it very seriously."
If an account has been compromised it is important to get your password changed as soon as possible. He said there are a variety of ways to protect passwords and avoid becoming a victim, from using a two-factor authentication process with regularly generated random password numbers, to creating encrypted password vaults. The CITES website offers added protection for computers and mobile devices.
He said leaders will make changes to the instructions sent out annually for changing campus passwords to ensure there is no confusion among vigilant employees who may be suspicious if that message is a phishing scam.
As for getting off the Internet blacklist, Corn said it may take some time. Some spam-tracking services won't lift restrictions until 48 hours pass without them detecting an infected email being sent out from the U. of I.
In addition to investigating the source of the attacks, university officials have contacted some of the services and asked to be reinstated. Corn said that if email sent to a critical correspondent isn't getting through, as a temporary and emergency measure, consider sending non-sensitive information through a third-party email account or use uofi.box.com to store a file and send a link to that file through a third-party account.
