By Brian Krebs
April 16, 2007
A highly targeted phishing attack last year that scammed dozens of
Indiana University students out of their personal and financial data
appears to have been aided in part by a previously undisclosed hacker
break-in at one of the school's main research servers, according to
documents unearthed by a doctoral student there.
In June 2006, an unknown number of IU students and faculty received an
e-mail warning that online bill-paying services attached to their IU
Employees Federal Credit Union accounts would be suspended unless they
"renewed" their contract with the institution. According to the school's
student news outlet, the Indiana Daily Student, that attack netted up to
Shortly after the attack, Chris Soghoian, a cybersecurity PhD student at
IU's School of Informatics, filed an Indiana Public Records Act request
for documents related to the incident. Those documents, redacted copies
of which the school provided earlier this year, indicate that the
phishers may have been able to gather e-mail addresses of IU students in
a bid to further target their victims.
Soghoian first started classes at IU last fall, but registered for a
school e-mail address in March 2006. Although he'd never given his IU
e-mail address to anyone or used it online prior to the phishing attack
against the credit union, he received a copy of the phishing e-mail.
Soghoian inquired with the school's technical staff how someone could
have obtained his e-mail address. He was told his inquiry was related to
an ongoing investigation.
"That's when I decided to file the [public records] request," he said.
Investigators found phishing kits - ready-made scam e-mails and Web
pages - designed to target IU students and customers of the Florida
Commerce Credit Union and the Sandia Laboratory Federal Credit Union.
Both credit unions had been targeted previously. In fact, a phishing
scam targeting Florida Commerce surfaced two days prior to the IU scam.
The records provided by the university indicate that the phishers gained
access to one or more accounts on the school's "Steel" server, a cluster
of systems provided for students and researchers engaged in projects
that require serious data and number crunching. According to the
university, some 24,000 IU students have access to that server (Soghoian
claims that figure is outdated and that the actual number of user
accounts on that server is at least 30,000). By downloading the list of
user names with access to the server, the attackers would have had a
ready list of targets to use in their phishing scam, Soghoian said.
"The fact that the cluster provides login services means that anyone
who's logged in can query user names on the system," he said. "The
phishers sent their e-mails from Steel as well, from within network,
which I'm guessing would have helped them somewhat in bypassing spam
While most phishing attacks target the nation's largest financial
institutions, scammers are turning their sights on smaller banks and
credit unions whose customers may not be as adept at dealing with these
types of scams. In addition, as the attack against the IU Credit Union
shows, scams against smaller institutions are more likely to be
successful if the phishers have access to e-mail addresses of
individuals known be associated with the targeted institution.
Phishers have targeted more than 185 credit unions during just the past
two years, and many of them in multiple, separate attacks, according to
anti-phishing and security company Websense.
Subscribe to InfoSec News