The University is warning that some students may have unknowingly given away personal information using the University’s e-mail system last month. Scammers used “phishing” tactics through University e-mail to acquire passwords and other potentially sensitive information. Students can still take steps to prevent such attacks.
During spring break, members of the University community reported receiving e-mails that asked them to click on a link to read “important University of Oregon news,” according to an e-mail sent to students from Information Systems. The link takes users to a page that looks similar to DuckWeb, but the page is fake.
Some students entered their Duck ID password into the fake Web site, said Jon Miyake, the acceptable use policy officer with Information Services, in an e-mail. The department is working with the individuals to secure their accounts.
It is unclear how the phishers obtained the e-mail addresses. The incident is under investigation, Miyake said.
The phishing Web site can no longer be accessed through the University network, Miyake said. After members of the department discovered the attack, they sent an e-mail to all students and posted a warning on the University’s home page.
Last year, Oregon Community Credit Union phishers sent bank customers, some of whom were University students, faculty and staff, a fraudulent e-mail. The e-mail tried to prompt customers to give away personal information. One student lost $1,000 in the scam.
Andre Chinn, coordinator of instructional technology for the School of Journalism and Communication, helped discover last year’s scam.
Protect Your Information
| For those who entered information on the fake DuckWeb page, Information Services advised students to: ? Change Duck ID password and security answers at https://duckid.uoregon.edu; ? Check e-mail for any suspicious activity, and check to see that the account was not used to send an e-mail you didn’t write; and ? E-mail Information Services at [email protected] or call 346-4412 to report any suspicious activity. |
“This new one is unique in that it exclusively targets the University of Oregon system,” Chinn said. “Traditionally, phishing attacks are geared toward credit cards and bank accounts.”
Chinn said he is puzzled as to why someone would want University account information.
“Usually people are trying to get financial information.” Chinn said, adding that the timing of the scam wasn’t effective because students may not have checked their University e-mails during spring break. “Usually these criminal types aren’t the most brilliant, though.”
Grant Castner, instructor of information systems in the Lundquist College of Business, said scammers may be searching for usernames and passwords.
“They might want the user’s personal information to possibly get more information about that person as part of identity theft, or they may want to further break into University systems to use for some other attack,” Castner said.
Chinn said phishing attacks are holding steady from last year, but he said he has not seen an increase in the attacks.
“If anything, I think people who are launching phishing attacks are trying a wide variety of other things. Browsers are becoming more savvy now,” Chinn said, adding that scammers are trying telephone phishing attacks in which a recorded message asks for personal information.
Students should be careful to avoid identity theft when using the Internet.
Castner said to always type a link into a browser instead of clicking on a link in an e-mail. He said to also use an e-mail system that blocks spam and to watch for alters from browsers that warn of fraudulent Web sites.
[email protected]
