Re: user account compromise?

["Barros, Jacob" <jkbarros () GRACE EDU>]

Ken and all.  That was it.  He did reply to one of those phishing scams.
No more than 12 hours before the SPAM was launched.  Any non-internal
legal advice would be appreciated.

 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly
Sent: Thursday, April 24, 2008 4:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] user account compromise?

Jake -

There have been numerous phishing attempts aimed at .edu students (and 
faculty/staff) over the past couple of months.  I'm sure the archives of

this list have examples.  Webmail accounts (in particular) of those who 
fall for the phishing attempt and provide their credentials are used for

exactly the things you have seen.

The student should change his password if that hasn't already happened.

He should also check things like his signature file and any 
auto-responder messages to ascertain that additional spam is not 
included there.

- ken

Barros, Jacob wrote:
> Beginning around 5:30pm yesterday, SPAM messages were sent from a
student's 
> user account. The student claims to not know what is happening.. and I
think 
> believe him.  He actually sent an email about the problem to our
helpdesk at 1 
> am because he was getting so many delayed delivery and NDR messages.
We are 
> still examining his laptop.
>
> So far my assumption is that his account was compromised as copies of
the 
> message are actually in his sent items and drafts folders.  Anyone
disagree 
> with that assumption?  Sounds like a ludicrous question but is there
any way I 
> can track who was using his account?
>
> Also, I am unsure how to respond to the situation and no applicable
policies 
> are in place.  Should campus departments or otherwise be notified of
the 
> compromise?  Any non-internal legal ramifications here, i.e. I am
getting many 
> responses from users who received the message.  Should I reply to
them?  Does 
> that imply that we claim responsibility?  Should I mention that it
actually 
> was our fault when I try to get off the blacklists we are already on?
>
> Is this topic better suited for the email admin discussion group?  Any
advice 
> or shared experience would be appreciated.
>
> Jake Barros
> Grace College
>
>
>
>   

-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373