Educause Security Discussion mailing list archives
Re: Uptick in imap attacks on student accounts
From: Jesse Thompson <000000b6da97d697-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Fri, 3 Jan 2020 15:44:24 +0000
We saw an uptick from 5-10 per day in December around to about 35 per day starting 12/30. There is some speculation that the Zynga breach has something to do with this mild uptick, but it's impossible to prove unless you get access to the password dump and check them against your local hashes. Now that we have Duo enabled for employees and students, we primarily shut down accounts based on anomalous IMAP+basic auth activity. We tend to shut down the accounts prior to Microsoft alerting via their leaked credentials report, which leads me to think that they look for similar patterns of behavior to generate their reports. Another interesting thing to note is that over half of the users have previously been compromised (and we don't allow users to reset their password back to a prior value). I think this means that users are reusing their 2nd or 3rd "go to" password whenever we ask them to pick a new one. Attackers aren't phased by this, since they commonly already know these other passwords and can easily spray variants at Microsoft to figure them out. We're about 1/3 complete with disabling basic auth for our Office 365 population. When we're complete, we'll no longer be able to detect compromised passwords using Azure AD anomalous activity. We'll have to find another means to protect our remaining single-factor client access protocols. But it will stop allowing attackers to stuff and spray passwords against Azure AD. Jesse Thompson University of Wisconsin-Madison ________________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Madl, Michael <michael.madl () INDWES EDU> Sent: Friday, January 3, 2020 9:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Uptick in imap attacks on student accounts We had back in early 2019 and since then have shut down IMAP, POP and SMTP for all but a few accounts. We are a O365 house [disclaimer] MICHAEL MADL INFORMATION SECURITY OFFICER UNIVERSITY INFORMATION TECHNOLOGY INDIANA WESLEYAN UNIVERSITY 4201 SOUTH WASHINGTON STREET MARION, IN 46953 [signature_875288647] <https://twitter.com/InfosecurityIwu> [signature_1674614699] <https://www.linkedin.com/in/michaelmadl/> [signature_1393566423] <mailto:michael.madl () indwes edu> 765.677.2688 [cidimage004.jpg@01D51231.B0363E20] DO NOT provide your username, password, or any personal information requested by any email. IWU WILL NEVER ask you for your username or password via email. DO NOT CLICK links or attachments unless you are positive the content is safe. CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information. If you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this information. If you have received this email in error, please notify the sender by replying to this message and immediately delete this message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Jim A. Bole" <jbole () STEVENSON EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, December 17, 2019 at 12:06 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Uptick in imap attacks on student accounts ** This message originated from outside the Indiana Wesleyan University email system ** ________________________________ Curious if anyone else is seeing an uptick on imap login attempts against student accounts, similar to September’s attack based on compromised Chegg accounts? Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: Uptick in imap attacks on student accounts Madl, Michael (Jan 03)
- Re: Uptick in imap attacks on student accounts Jesse Thompson (Jan 03)