Educause Security Discussion mailing list archives

Re: Uptick in imap attacks on student accounts

From: Jesse Thompson <000000b6da97d697-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Fri, 3 Jan 2020 15:44:24 +0000
We saw an uptick from 5-10 per day in December around to about 35 per day starting 12/30.  There is some speculation 
that the Zynga breach has something to do with this mild uptick, but it's impossible to prove unless you get access to 
the password dump and check them against your local hashes.

Now that we have Duo enabled for employees and students, we primarily shut down accounts based on anomalous IMAP+basic 
auth activity.  We tend to shut down the accounts prior to Microsoft alerting via their leaked credentials report, 
which leads me to think that they look for similar patterns of behavior to generate their reports. 

Another interesting thing to note is that over half of the users have previously been compromised (and we don't allow 
users to reset their password back to a prior value).  I think this means that users are reusing their 2nd or 3rd "go 
to" password whenever we ask them to pick a new one.  Attackers aren't phased by this, since they commonly already know 
these other passwords and can easily spray variants at Microsoft to figure them out.

We're about 1/3 complete with disabling basic auth for our Office 365 population.  When we're complete, we'll no longer 
be able to detect compromised passwords using Azure AD anomalous activity.  We'll have to find another means to protect 
our remaining single-factor client access protocols.  But it will stop allowing attackers to stuff and spray passwords 
against Azure AD.

Jesse Thompson
University of Wisconsin-Madison

________________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Madl, Michael 
<michael.madl () INDWES EDU>
Sent: Friday, January 3, 2020 9:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Uptick in imap attacks on student accounts

We had back in early 2019 and since then have shut down IMAP, POP and SMTP for all but a few accounts.  We are a O365 
house [disclaimer]


MICHAEL MADL
INFORMATION SECURITY OFFICER
UNIVERSITY INFORMATION TECHNOLOGY

INDIANA WESLEYAN UNIVERSITY
4201 SOUTH WASHINGTON STREET
MARION, IN 46953

  [signature_875288647] <https://twitter.com/InfosecurityIwu>  [signature_1674614699] 
<https://www.linkedin.com/in/michaelmadl/>  [signature_1393566423] <mailto:michael.madl () indwes edu>
     765.677.2688

[cidimage004.jpg@01D51231.B0363E20]

DO NOT provide your username, password, or any personal information requested by any email.
IWU WILL NEVER ask you for your username or password via email.
DO NOT CLICK links or attachments unless you are positive the content is safe.

CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information.  If 
you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this 
information. If you have received this email in error, please notify the sender by replying to this message and 
immediately delete this message.




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Jim A. Bole" 
<jbole () STEVENSON EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, December 17, 2019 at 12:06 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Uptick in imap attacks on student accounts

** This message originated from outside the Indiana Wesleyan University email system **
________________________________
Curious if anyone else is seeing an uptick on imap login attempts against student accounts, similar to September’s 
attack based on compromised Chegg accounts?

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Current thread:

Re: Uptick in imap attacks on student accounts Madl, Michael (Jan 03)
- Re: Uptick in imap attacks on student accounts Jesse Thompson (Jan 03)