Caught by the Phisher-men?

James Stone has one of the cooler sounding job titles at Boston University: high-technology crime investigator. Despite the title, the work is far from glamorous. In fact, a lot of the time it’s downright annoying, kind of like spam. Well, exactly like spam. Stone, a 24-year veteran of the Office of Information Technology, and his crew of computer whizzes man the front lines of a constant battle with the latest e-mail and phishing scams that try and angle their way into University in-boxes. With new online confidence schemes popping up all the time, Stone describes the effort as a relentless game of cat and mouse. BU Today recently spoke with Stone about what students, faculty, and staff should know when it comes to widowed Nigerian millionaires, unpaid eBay item messages, and Kerberos passwords.

BU Today: A couple months ago, BU employees received an e-mail from your office saying phishers were trying to obtain BU passwords and user names. What was that all about?
Stone: Traditional phishing schemes almost always involve money or identity theft, which generally leads to money. But more and more, we’re seeing a different kind of phishing. A typical one purports to be from Boston University, or some other university administration, saying, “We need to reverify your account” or “There’s a security problem with your account.” They ask for your last name, e-mail user name, e-mail password, date of birth. In the case of BU, they want your log-in name and Kerberos password. The most important thing to remember is that the University would never ask for your Kerberos password. We won’t ask for your social security number. We will not ask personal and confidential information from you, especially not in an e-mail request.

So what are they after, if not money?
This scam is for a completely different reason: spamming. If people get a log-in name and Kerberos password, for any institution, they have entree to the facilities that send out electronic mail for that institution. That means they can send out large amounts of spam. It doesn’t cost them anything.

Haven’t most people already wised up to phony eBay messages and the pleas of wealthy Nigerian widows? Why do phishers keep bothering with these?
Millions and millions, maybe even billions, of these have to go out over the course of a year to get a few people to fall for it. Most people are familiar with the schemes where people clone Web sites for Paypal, Citibank, Citizens Bank, Bank of the West and try to convince you they are, in fact, this bank. A lot of people receive these for banks they don’t do business with, so they flush them. But the more they send out, the higher the likelihood that one is going to land in somebody’s in-box for the bank they do, in fact, do business with. That’s when the danger level starts going up. The eBay notice about an item purchased annoys me in particular because it’s past the innocuous stage. It’s really is trying to suck you in — did I buy that because I’m a regular eBay user?

Could giving up your Kerberos password lead to identity theft?
That’s a leap, but it’s not impossible. It’s not an immediate danger. Your social security number, I believe, is a hidden field. But we do not want people giving up their log-in name or Kerberos password. Those passwords protect access to a lot of electronic storage: your in-box, your saved folders, disc storage on machines around campus, the student link, the faculty link, your salary. In the wrong hands of somebody who’s diligent and educated about how an institution works, they definitely could go on a shopping spree for data. What they’ll find I don’t know. But would you want somebody going through all your e-mails? Give away your log-in name and Kerberos password and you’re giving up some privacy.

What are some signs to look out for in unfamiliar e-mails?
The reply-to field is generally not the same as the purported sender. We often see that the reply field will be England or Nigeria or wherever. Because in order for any of this information to be useful, the stuff that people answer — which they shouldn’t — has to go back into the hands of somebody who can use it for more phishing schemes or whatever purposes they want it for. So that’s always a dead giveaway. Poor grammar and nontraditional use of capitalization for the organization are also giveaways. For instance, you never see BU with an upper-case “B” and a lower-case “u.” No officially sanctioned BU communication would have this. There’s no such thing as “BU.edu BETA.” There’s no such thing as the “BU team.” These entities don’t exist. But the take-home lesson is: if you’re not answering, you don’t have to look for anything. Just don’t reply.

Are other universities and colleges reporting similar schemes?
A number of them are seeing this one. In fact, before we saw it here, we heard about it at other institutions. So we started putting in some bells and whistles looking for it because we figured eventually it’ll hit this campus. We wanted to see what we could do in terms of protection and detection. So when the first one actually occurred, we were ready for it. We were pretty quick with the warning that went out to the community saying watch out for this stuff and don’t answer it.

What happens when you spot fraudulent use of a BU account?
It’s not fun. People’s accounts get compromised, and we have to shut them down. Sometimes they get annoyed or they’re clearly inconvenienced because they lose access and they’re not sure why. In some cases, we have to act quickly. We make an effort to get in touch with people we’re about to shut down, but if I’m unsuccessful, I have to shut the account down first and let people yell at me later. But a lot of people will call up and say, “I know why you shut me down. What do I need to do?” We don’t have many repeat customers. I rarely speak to the same person twice.

So what should someone do if they make the mistake of sending information?
It’s as simple as changing your Kerberos password. Once you change your password, the password you just sent is totally useless.

To learn more about phishing schemes, click here.

Caleb Daniloff can be reached at cdanilof@bu.edu.