volume 39, number 1
Temple UniversityFaculty Herald

Phishing at Temple University
Ken Ihrer , Computer Services' Chief Information Security Officer

Ken Ihrer,

Computer Services' CISO for Temple University

Universities are undoubtedly the best phishing lakes around the world.  Growing up, I used to dream of fishing Lake Guerrero in Mexico where a fisher could land a large mouth bass every time they cast their line in to the water.  To the phisher, universities are every bit as appealing as Lake Guerrero is to the bass fisher.

You may wonder why universities are so inviting to the phisher. Well, the nature of our business model is  open access and  knowledge sharing.  We deploy hundreds of servers and store terabytes of information.  Our population turns over at roughly 25% a year.  Our user base is quite diverse and our security controls are typically not on par with the business world.  For all of these reasons, universities have a large red target painted on their backs – waiting for the crooked angler to cast their line our way.

I am often asked why phishers and hackers don’t spend their time doing something productive.  Couldn’t they make a lot of money if they just concentrated on using their skills at a legitimate place of employment?  Unfortunately, crime tends to pay more in this arena and, unlike armed robbery, the chances of getting caught and prosecuted are very low.

So how much can one of these criminals make?  Robert Soloway made millions in only two  years of activity before finally being arrested and brought to justice.  Unfortunately, according to industry experts, he is only a small phish in a large pond.

So what exactly is a phish and why does it work?  A phish is typically an email that is sent out to a large group of recipients that attempts to lure the victims into providing the phisher with their computer access credentials.  Sometimes other personal information is requested but the primary target is access credentials.  Once the phisher has these credentials, they are used in several profitable ways.

One of the biggest uses of stolen access credentials is in launching a spam attack.  Spam is where the profit lies.  This is one of the ways Soloway made his money.  According to an article in USA Today about his arrest, Soloway had clients pay him $495 to send 20 million spam messages or sell them 80,000 email addresses.  That may sound like a lot but it is just a drop in the bucket compared to the  amount of spam sent every day.   Here at Temple we block over 1.5 million spam messages every day using a new appliance from Ironport.  Patrick Peterson, vice president of technology at Ironport, says that they block over 80 billion spam messages a day.

The phishing attacks that took place at Temple over the summer led to several spam outbreaks coming from the University.  Not only was this a disruption to our systems, but we were placed on several blocking lists and this prevented legitimate email from being received by outside mail hosts.  Places such as AOL, Comcast, Yahoo and many others would no longer accept mail from Temple because we were considered a spam factory.     Because of these problems, I started investigating security controls that would do two things for us.  The first problem I wanted solved was to stop the spam from leaving Temple.  My thought was that if the spammers couldn’t use our computers as a launching platform, they would go elsewhere to easier targets.  The second problem that I wanted solved was to stop the phishing attacks from coming in.  My belief is that by doing these two things, we will no longer be the Lake Guerrero of the phishing world. 

After looking at various products, we decided to install Ironport.  Over the last month of summer, we ran an evaluation with an Ironport appliance filtering one of our five mail servers.  The amount of incoming spam that was caught by the product was 10 timesgreate than our previous security controls.  After the evaluation, we purchased two of the units and have recently placed all five mail servers behind the appliances.  While I want to make it clear that no security control is 100% effective against spam and phishing attacks, our security posture and ability to block this activity has been drastically increased.  Phishers are a crafty lot and are usually one step ahead of the good guys.  The old saying “where there is a will there is a way” certainly applies to them.  When we receive a phishing email that makes it through our system, we now send it on to Ironport so that they can develop a new trap against it.  In the end, I believe that Temple will no longer be known as a hot spot for phishing and the phishers will take their bait elsewhere.  

For a few tips to avoid getting hooked, it is important to note that no one at Temple will ever ask you for your password.  It is forbidden, by policy, for you to give your password to anyone.  If an email comes in that ask you to provide your username or password, do not take the bait.  Do not respond back to them – not even to tell them to “kiss your bass.”  When you do, it validates your email address and you can be assured they will sell it to someone.  Simply forward the email to abuse@temple.edu and we will make sure that our systems are updated to catch this phishing attempt in the future.

The next important tip is to be wary of websites that ask for your credentials.  Some phishing attempts will send you an email that may look very official.  It will contain a link that is usually masked to hide where you are really being sent.  When you click on the link, it will have Temple’s graphics and look just like our TUmailsite.  However, if you look at the address bar at the top, it will display a non-Temple location.  Remember, the safest way to go to one of our websites is to type in the address manually instead of clicking on a link.  If you do click, make it a habit to inspect the address once the website is displayed.  Remember, some of the sites are very realistic looking.  It is difficult to distinguish a one “1” from a lower-case L “l” on a computer screen “temple and temp1e” are too similar to distinguish at a quick glance. 

 The last thing I would like to leave you with is this: whenever you feel your account credentials may have been compromised, go to our website by typing in accounts.temple.edu and change your password.  It is better to be safe than sorry because once you are hooked, the phisher is going to reel you in.