Phishing e-mails cause problems

On Feb. 5, someone, somewhere hit “send.” Seconds later, hundreds of College of William and Mary e-mail users received a message that appeared to be from the College’s Information Technology department.

The IP address on the e-mail indicates the sender was in Nigeria, but internet criminals often hide their tracks.

The message asked for students’ names, user identifications, passwords and dates of birth. If students responded, then they put their confidential information in the hands of someone trying to hack into their
accounts.

At the College, internet Security Professionals encounter these schemes, called phishing, on a daily basis.
They try to protect students by having the College’s network identify these e-mails as spam, but internet criminals are constantly improving their tactics to thwart filter detection.

Still, most students recognize these messages as scams and discard them. Only one student this semester has responded to a phishing e-mail, sending private information to a hacker halfway around the world.

Once logged into a College webmail account, these hackers often send spam about fake lotteries to thousands of people, according to IT Security Engineer Matt Keel ’99. The lottery messages usually read,

“You’ve won! Send us processing fees, and we’ll promptly send back your winnings — typically around $2 million.”

Gullible victims send the processing fees and never hear receive a reply.

People all over the world receive these lottery messages, often sent by student e-mail addresses at American universities. Keel works with other IT security professionals to make sure that when a student does respond to a phishing message, the account never gets hacked.

The stakes are high — if the person in Nigeria who sent the initial e-mail hacks into College accounts and uses them to send lottery schemes all over the world, the entire College e-mail server could end up on a blacklist. Once on a blacklist, legitimate outgoing e-mails from any College account could be prevented from reaching intended recipients.

“When these phishing e-mails come in, we block wherever it came from and also block outgoing responses,”
Keel said. “If someone checks their e-mail in Swem, and later I see a login in Nigeria, I take them off the
network.”

The account stays off the network — unable to access any web page except an explanatory message from IT — until the account holder changes their compromised passwords.

In the first week of April, IT detected a total of 450 phishing messages sent to College e-mail accounts, of the two million e-mails processed that week by the College’s server. This semester, only one student has responded to a phishing message, compared to 29 who responded last semester. Of those 29, four students had their accounts hacked.

The spammers logged into the four accounts before IT could identify the problem and take the accounts off the network.

“Some of these people are making a decent amount of money doing this,” Keel said.

A decade ago, Keel was an economics major at the College and worked at the IT Help Desk. Back then, hacking was mainly a hobby for anarchist teenagers rebelling against what they saw as an evil corporation — Microsoft. Today, the schemes are more sophisticated and are concocted by professionals.

“It used to be about teenagers playing pranks,” he said. “Now it’s about making money.”

In the College’s computer science department, students are tackling these problems from an entirely different perspective.

“This is one of the most severe internet security problems,” Chuan Yue Ph.D. ’09 said. Luckily, he has developed an idea with the potential to significantly reduce the number of successful phishing attacks.

Sitting in a computer lab in McGlothlin-Street Hall, Yue describes how he created BogusBiter, software that sends fake information to those trying to steal real information.

Phishing e-mails often link to malicious websites that imitate real websites, Yue explains. An internet criminal might set up a website that looks exactly like eBay.com, so that those unlucky enough to wind up on the phishing site unknowingly enter their eBay username and password. The site’s creator then has that information and can use it to hack the person’s real eBay account.

Creators of these fake sites lure people to them by inserting links in phishing e-mails.
With BogusBiter installed on their computers, those who fall for the scheme would be protected. Once the built-in detection program on a computer’s web browser identifies a website as malicious, BogusBiter sends fake username and password combinations to the site’s creator, mixed in with the real information the site’s creator is trying to steal. It’s hard for the internet criminal to distinguish the real information from the fake information, meaning the stolen passwords are useless.

Yue co-wrote a paper with computer science professor Haining Wang advocating BogusBiter. At this year’s graduate research symposium, the paper won the William and Mary Award for Excellence in the Natural and Computational Sciences, a $500 prize. But Yue believes it’s unlikely that BogusBiter will ever be implemented effectively, as the program only works if the legitimate sites that are being imitated deploy BogusBiter.

“On a large scale, it’s hard to persuade many sides to adopt this approach,” Yue said. “It’s very hard to persuade some sites to deploy a new defense mechanism.”

Back in the basement of Hugh Jones Hall, Keel continues monitoring the College’s network. Suddenly, a message pops up on the big-screen computer monitor mounted on the wall in front of him, alerting Keel to an entirely different type of professional internet scheme. Snort, the open-source software that IT uses to detect intrusions, has identified a potential threat — what appears to be malicious software infecting a student’s computer.

Keel never loses his relaxed composure. Wearing jeans and a green T-shirt, a Diet Coke sitting on his desk, he drags the computer mouse across the three large monitors on his desk, analyzing dizzying lines of letters and numbers.

Keel soon identifies the potential threat as a “false positive.” Turns out a student tried and failed to access an encrypted website. There was no threat.

Typically, once or twice a day an intruder does try to enter a computer on the College network. This happens when people unknowingly download viruses or visit malicious websites, often by clicking on flashy banner advertisements — usually on websites that accept advertising from less-than-reputable sources. The ads usually display a message saying that the computer is infected. They then instruct the user to download anti-virus software that is, in fact, malicious software that will take over the machine.

The virus might install a keystroke logger on your machine to record everything you type, like bank information. It then sends that information back to the virus’s creator. Or the virus might cause all infected computers to log on to a website, simultaneously overloading the site with traffic and shutting it down.

“If they can get thousands of machines together, they can attack larger machines,” Keel said. “They send tons of traffic to a business to prevent legit traffic. They might say, ‘Give us $50,000 or we’ll knock your site offline.’”

Keel recommends that students protect their computers from malicious software by downloading Sophos, anti-virus software offered for free on the College’s IT website.

In the fall, many students were infected by one virus. Keel traced the malicious software to a banner ad on the now-defunct website juicycampus.com.

When student computers are infected by such a virus, IT security professionals prevent those computers from accessing the College network where they might infect others. If the infection occurs at night when IT’s security professionals are off duty, it typically gets taken care of in the morning. But if the night-time infection disrupts the network, the system pages the IT engineers, who must wake up and handle it.

Last semester, Student Assembly President Sarah Rojas ’10 was kicked off the College’s network when her computer was infected with a virus.

“I logged on to the internet, and all the sudden it said you have to come to IT to be able to access the internet again,” Rojas said. “They were swamped that day because so many people were infected.”

Three days later, her computer was returned, virus-free. Rojas doesn’t know how she got the virus, and she doesn’t remember clicking on any banner ads.

It is often the case that people never know how they get viruses.

Each day, criminal programmers are searching for newer and sneakier ways to infect machines. In his time as the College’s security engineer, Keel has watched malicious software evolve, both in quantity and quality.

It has gone from a hobby for young pranksters in their basements to a scheme for professional criminals all over the world.

Does Keel think these internet criminals are winning the fight?

“I’d have to say they’re doing pretty well.”

Leave a Reply