University Times

Although a recent attempt to trick University email users into divulging sensitive information — a practice known as “phishing” — prompted Computing Services and Systems Development to post a security alert few, if any, users were fooled, said CSSD director Jinx Walton.

The phishing scam came in the form of an email purportedly from the “Pitt team” with the subject line “upgrade your Pittsburgh webmail account now.” The poorly worded message asked recipients to give their user name, password, date of birth and security question and answer, warning that “any mail user that refuses to send his/her verification details with in the next seven (7) days of receipt of this mail, his/her mail account will be erased permanently from the site.”

The fraudulent message sent March 4 is among many that bombard University accounts regularly. Others came disguised as holiday greetings around Christmas and Valentine’s Day, Walton said.

While some technology industry analysts estimate that spam makes up as much as 90-95 percent of all email that is sent, only about 55 percent of the messages sent to University email accounts are spam, Walton said. In an average month, she said, Pitt’s spam and virus filter prevents about 19 million spam messages and 300,000 virus messages from arriving in users’ inboxes. The filter is enabled automatically on Pitt accounts, but users can adjust the filter strength.

“Spammers spend all their time trying to get around all these filters,” Walton said.

Not all phishing attempts merit a mention on the CSSD web site (http://technology.pitt.edu), but when they look as though they’re from the University or when they create a buzz in the security community, CSSD alerts the “expert partners” group of information technology staffers throughout the University. Security alerts also are posted prominently on the web site.

Walton said anyone who disclosed his or her user name and password should contact the technology help desk for assistance in creating a new password.

“Most people in the University have learned not to click on these,” Walton said, adding that if even a handful of users had contacted the technology help desk about the March 4 email, she would have been alerted.

The University’s spam filters catch lots of the phishing attempts, but users should ignore any that actually are delivered. “You should never respond to emails or click on links asking for confidential information,” Walton said. “No legitimate company would ask you to send confidential information by email.”

When computer hackers attempt to compromise Pitt’s network, typically they’re trying to gain access to its speed in order to send volumes of spam messages, Walton said. They also could use Pitt’s network to try to hack into other machines. Although CSSD monitors the system for unusual activity and typically would catch it quickly, millions of spam messages could be sent in just a day or two, she said.

If Pitt accounts appear to be the source of spam, individual Internet providers on the receiving end can start blocking email traffic from pitt.edu addresses. Appearing to be a spammer not only does damage to the University’s reputation, it wastes time for legitimate users who find their email returned as undeliverable with a message indicating that it’s because their pitt.edu addresses have been blacklisted.

If the blockade lasts even a day or two while the issue is resolved, “It’s inconvenient to people in the University because they can’t get their mail out,” Walton said.

Phishing attempts go far beyond merely trying to obtain passwords. Some seek to trick recipients into divulging bank or credit card account numbers or Social Security or driver’s license numbers that can result in identity theft.

Additional information is available at www.ftc.gov/idtheft.

Walton said email users are becoming increasingly aware of spam and most know not to divulge personal information or open suspicious emails or attachments. However, if a Pitt user inadvertently clicks on a suspicious link or attachment, she advises they disconnect from the network and call the technology help desk at 4-HELP (4-4357).

—Kimberly K. Barlow