A phishing email scam released on Saturday, 1 June, has prevented thousands of students from accessing their university portal and has lead to the release of a stream of fake emails to external companies from student accounts.
The email, disguised as a personal account name, contains a preview that reads [message clipped] “view entire message.” When opened, a link embedded in the email leads to a compromised, fake university website that mimics the appearance of a University portal. University emails are pre-entered on the system in an attempt to coax students to enter their passwords. Once entered, the bot releases emails to external insurance and recruitment company addresses. Many students also found they could no longer access the university portal or Canvas after opening the email.
USyd ICT was made aware of the scam early Sunday morning and an email alert was sent out late Sunday afternoon advising students and staff to change their unikey or password if they believed they had submitted it during the attack. However, many students were unable to access their portal to change their password, having had their account blocked over the course of the weekend by the scam.
“Thousands of University of Sydney staff and students’ mailboxes in Office 365 were the target of a sophisticated and automated phishing attack that also appears to be targeting other universities,” a University spokesperson told Honi. Phishing emails attempt to obtain confidential information by chaining spam links to gain access to passwords and account details later used for financial gain or fraud.
“I’m pretty sure emails were sent to many students, lecturers and services from the uni. Emails were also sent from my address to external companies I’d never heard of,” said one affected student.
USyd ICT is still working to contain the outbreak of emails and it remains unclear unclear how many other universities have been affected by the scam.
“As of 3 June, the phishing attack is still ongoing but largely contained and the University’s ICT teams are actively managing the threat, removing emails from recipient mailboxes and resetting Unikey passwords for suspected compromised accounts,” ICT support told Honi
This phishing incident is the third affecting USyd since December. In May 2019, emails were sent to staff disguised as salary increase notifications from HR and finance addresses. In December 2018, staff were sent emails masquerading as university admin notifications. Both chains, once opened, sent users to a fraudulent login page.
Last year, Honi reported over 3000 students were sent phishing emails attempting to gain access to university passwords. An attachment image inside the email “failed to load” but once the link was opened, unregulated emails were sent to several university educators across faculties from student accounts.
“I didn’t think much of it until I had emails from 15 different educators asking me what I had sent them, which confused me,” said a student affected by the October/November phishing scam. “Only one academic sent back a message saying it appears I may have been hacked.”
A scam of this magnitude has caused unnecessary stress to students in the midst of this semester’s final exam period. “I’m a little worried as finals are coming up and there’s a lot of work still to be done,” said one affected student on Sunday.
In response to this outbreak the University has published a ‘Knowledge Base’ article on phishing email scams. Further communication through Canvas and MyUni also continues between students and ICT support staff.
“Phishing is a persistent and sophisticated threat and one that cannot be completely addressed through technical controls,” said USyd ICT support.
“It is important that staff and students are aware of how to recognise and respond appropriately to phishing emails.”