Educause Security Discussion mailing list archives

Re: user account compromise?

From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Thu, 24 Apr 2008 15:16:12 -0500

Jake -

There have been numerous phishing attempts aimed at .edu students (and
faculty/staff) over the past couple of months.  I'm sure the archives of
this list have examples.  Webmail accounts (in particular) of those who
fall for the phishing attempt and provide their credentials are used for
exactly the things you have seen.

The student should change his password if that hasn't already happened.
He should also check things like his signature file and any
auto-responder messages to ascertain that additional spam is not
included there.

- ken

Barros, Jacob wrote:

Beginning around 5:30pm yesterday, SPAM messages were sent from a student's
user account. The student claims to not know what is happening.. and I think
believe him.  He actually sent an email about the problem to our helpdesk at 1
am because he was getting so many delayed delivery and NDR messages. We are
still examining his laptop.

So far my assumption is that his account was compromised as copies of the
message are actually in his sent items and drafts folders.  Anyone disagree
with that assumption?  Sounds like a ludicrous question but is there any way I
can track who was using his account?

Also, I am unsure how to respond to the situation and no applicable policies
are in place.  Should campus departments or otherwise be notified of the
compromise?  Any non-internal legal ramifications here, i.e. I am getting many
responses from users who received the message.  Should I reply to them?  Does
that imply that we claim responsibility?  Should I mention that it actually
was our fault when I try to get off the blacklists we are already on?

Is this topic better suited for the email admin discussion group?  Any advice
or shared experience would be appreciated.

Jake Barros
Grace College


--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Current thread:

Re: user account compromise? Joe St Sauver (Apr 24)
- <Possible follow-ups>
- user account compromise? Barros, Jacob (Apr 24)
- Re: user account compromise? Ken Connelly (Apr 24)
- Re: user account compromise? Brian K. Doré (Apr 24)
- Re: user account compromise? Barros, Jacob (Apr 24)
- Re: user account compromise? Scholz, Greg (Apr 24)
- Re: user account compromise? Barros, Jacob (Apr 24)