Email phisher gains access to over 300 student accounts
A suspected South Africa-based scammer has gained access to hundreds of student emails in the largest series of phishing attacks the University at Albany has faced, according to officials.
On Thursday, Chief Information Security Officer Martin Manjak sent a campus-wide email urging all students to change their passwords as a precaution, saying that Information Technology had already shut down more than 300 accounts after the scammer tricked students into giving him or her their passwords.
Hours later, the phisher used this email alert to try to defraud more students. The scammer copied Manjak’s alert and sent it from student accounts he or she already controlled.
“More than 300 student accounts have been suspended after their passwords were compromised, to reactivate your account click Albany and provide your login details,” said the phishing attempt.
The real Manjak said on Friday that Information Technology Services tracked many of the phishing attempts to South African IP addresses.
“We know his email, firstname.lastname@example.org,” said Manjak. “That was extracted from the headers of his messages and was found in several different types of spam/phish he sent.”
Manjak said that the email has been tied to fraud in other places of the world, calling the type of scam a “419 fraud.”
The scam, also called advance fee fraud or “the Nigerian scam” — named after the notoriety Nigerian criminal gangs have gained from using it — involves promising a vast sum of money to a target.
All you have to do, promises the scammer, is pay a small advance fee. The perpetrator then pockets this cash and moves on to the next target.
ITS reported that the fraudster had used student accounts to send emails asking for help moving money out of the country. In other examples, they simply used student accounts to phish for more student security information.
One victim of the phishing attacks was Illuminada Aponte, a social welfare student.
After Aponte clicked on a link in an email last week and entered her information, the phisher used her account to send more scam emails, including the one impersonating Manjak.
On Friday morning, Aponte woke up to find that she was locked out of all UAlbany accounts — Blackboard, email, MyUAlbany, and more.
“It’s scary,” said Aponte. “I think they should definitely get me a new account and investigate what’s really happening.”
ITS plans to allow students with compromised accounts to change their passwords, rather than assigning new accounts to the hundreds affected.
Manjak, who has been UAlbany’s chief information security officer since 2006, said this was a particularly pernicious bout of phishing attacks.
“We’ve had two previous campaigns in 2016 and 2017, but this is the most persistent and has had the largest impact,” he said.