Apparently using a common internet deception called phishing, scammers obtained log-in information allowing them to change direct deposit routing information for the paychecks of 10 BU employees in December. The employees’ monthly paychecks were then routed elsewhere.
How the phishers, who usually obtain confidential information via an email solicitation claiming to be from a legitimate organization, got the employees’ private usernames and passwords is unclear. Quinn Shamblin, BU executive director of information security, says they most likely conned the employees with “sophisticated phishing messages.”
BU is one of several universities victimized by phishers recently, and the FBI is investigating all of the cases. As required by law, the University has alerted the Massachusetts attorney general and the state’s Office of Consumer Affairs and Business Regulation.
The Boston University Police Department and University technology personnel are working with federal investigators on the case. “There are no suspects at this time,” says BUPD Detective Lieutenant Peter DiDomenica.
The University learned of the attack when several employees reported that they hadn’t received their direct deposit paychecks for December. Another university informed BU that one of its employees received a direct deposit that wasn’t hers. Erika Geetter, BU vice president and general counsel, says the amount and bank routing information of that deposit were identical to those of one of the 10 victimized BU employees.
Shamblin says that users of suspicious internet protocol (IP) addresses gained access to the Kerberos accounts of 78 employees last month, but they apparently breached only 10 Employee Self-Service (ESS) accounts, which contain direct deposit bank information. The University is investigating whether the remaining 68 were compromised, but Shamblin says that “we have no indication at this time that sensitive information for this population was accessed.”
The suspicious IP addresses, he says, were located in the United States and Africa. “It is extremely common for people engaged in this kind of criminal activity to attempt to hide their location by routing their traffic through a variety of computers between them and the intended victim,” says Shamblin. “This means that the IP addresses we detect at the far end may have nothing whatsoever to do with the actual attacker.”
Shamblin urges employees to confirm important financial transactions as a matter of routine. “When the monthly notice from BU tells you your paycheck has been sent, I would recommend that you check your bank to make sure it properly arrived and notify Payroll or Human Resources immediately if there’s any discrepancy,” he says. “The system cannot tell if the bank account information it contains is accurate. The only way we will know if there’s a problem is if you detect and report it.”
He recommends that anyone who gets suspicious emails report them by forwarding the messages to firstname.lastname@example.org.
And of course, adds DiDomenica, “Never provide usernames and/or passwords to any unsolicited requests made by email or by telephone.”
The University is analyzing emails from the BU victims to try to identify any phishing emails connected to the scheme. University officials are working with their counterparts at other schools and with law enforcement authorities to identify suspect IP addresses. BU temporarily shut down its ESS service on January 2 after learning of the breach, and restored the service on January 5 for all except 510 employees who changed their direct deposit information in December. It has notified those workers to confirm that they made those changes; their ESS accounts will remain disabled until they confirm.
In its notification letter to Attorney General Martha Coakley (LAW’79), the University says it will monitor all changes made to direct deposit information through ESS daily until authorities are confident that this scheme is no longer a threat.