USyd emails fall into mass phishing scam

The outbreak follows a state report that found NSW universities’ cyber security standards to be insufficient

Approximately 3000 USyd students were targets of a phishing attack this week, with some students receiving multiple emails requesting their UniKey username and password.

A variation of the phishing emails that circulated student inboxes.

“It is phishing—it’s asking [staff and students] for their information, and when they put that in, then their account gets compromised, and then their account gets used to send more scams out,” a USyd ICT support staff member confirmed. Phishing amasses chains of personal details or credentials, which in turn can be used for fraud and identity theft.

The string of emails was brought to ICT’s attention on Tuesday but emails continued to appear until late Thursday. ICT contacted students who had been sent the scam yesterday afternoon with warning procedures, with an internal alert sent to staff a couple of days prior.

“Our ICT team has been in direct contact with most students affected and taken a range of actions including recalling malicious emails, blocking urls and advising students to immediately change passwords,” said a University spokesperson.

Phishing email warning sent to students who were targeted by the scam. Source: University of Sydney ICT

Blocking the fraudulent links was only possible if the user opened the email on USyd’s network, so recipients opening the email off-campus were still susceptible, as was the case with most in winter break.

“If [students] unfortunately enter their details into those pages, we will get notified and we will stop that account”, necessitating those affected to reset their password, the ICT staff member said.

The scam comes a week after it was revealed that ANU’s data systems were compromised by international hackers last year, with students only informed last Friday. ANU stated that no student, staff or research information data had been stolen, however, access to campus online services were taken down to mitigate the threat.

Only a month ago, the Audit Office of NSW found a gap in tertiary education cyber security in their 2017 university review. Of most concern was issues relating to “theft of information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent”. The report recommended universities across the state better prepare for data threats and incidents, as well as provide sufficient digital literacy training and education.

The most common cyber security issues at universities in NSW. Source: Audit Office of NSW

It is not clear who or what is behind the recent phishing attack, but strangely, some of the emails ask users in Spanish to think of the environment before printing the message. The scam email brings up a page with the USyd logo that emulates the Sydney Student login page and requests the user to login.

Each subject line differs, feeding on a previous email chain or sent message to appear legitimate, with some ‘senders’ donning a USyd email. The body informs that the server is ‘Unable to show this message’, prompting the recipient to press on a button to view the full message in a new page.

“It looks pretty obvious,” the ICT staff member said of the page’s appearance. “The number of people affected is not that much, but considering the population of the University, it is quite high. But [it is] a minority that have actually responded to the email,” they said.

ICT assured that no other services or datasets associated with UniKey login details were compromised.

A University spokesperson said, “We are committed to protecting our community digitally and encourage students and staff to report malicious emails to the ICT Service Centre on 1800 SYD UNI (1800 793 864)”.