Internet Scammers Change Some BU Direct Deposit Accounts
University investigates and offers advice to workers
Apparently using a common internet deception called phishing, scammers obtained log-in information allowing them to change direct deposit routing information for the paychecks of 10 BU employees in December. The employees’ monthly paychecks were then routed elsewhere.
How the phishers, who usually obtain confidential information via an email solicitation claiming to be from a legitimate organization, got the employees’ private usernames and passwords is unclear. Quinn Shamblin, BU executive director of information security, says they most likely conned the employees with “sophisticated phishing messages.”
BU is one of several universities victimized by phishers recently, and the FBI is investigating all of the cases. As required by law, the University has alerted the Massachusetts attorney general and the state’s Office of Consumer Affairs and Business Regulation.
The Boston University Police Department and University technology personnel are working with federal investigators on the case. “There are no suspects at this time,” says BUPD Detective Lieutenant Peter DiDomenica.
The University learned of the attack when several employees reported that they hadn’t received their direct deposit paychecks for December. Another university informed BU that one of its employees received a direct deposit that wasn’t hers. Erika Geetter, BU vice president and general counsel, says the amount and bank routing information of that deposit were identical to those of one of the 10 victimized BU employees.
Shamblin says that users of suspicious internet protocol (IP) addresses gained access to the Kerberos accounts of 78 employees last month, but they apparently breached only 10 Employee Self-Service (ESS) accounts, which contain direct deposit bank information. The University is investigating whether the remaining 68 were compromised, but Shamblin says that “we have no indication at this time that sensitive information for this population was accessed.”
The suspicious IP addresses, he says, were located in the United States and Africa. “It is extremely common for people engaged in this kind of criminal activity to attempt to hide their location by routing their traffic through a variety of computers between them and the intended victim,” says Shamblin. “This means that the IP addresses we detect at the far end may have nothing whatsoever to do with the actual attacker.”
Shamblin urges employees to confirm important financial transactions as a matter of routine. “When the monthly notice from BU tells you your paycheck has been sent, I would recommend that you check your bank to make sure it properly arrived and notify Payroll or Human Resources immediately if there’s any discrepancy,” he says. “The system cannot tell if the bank account information it contains is accurate. The only way we will know if there’s a problem is if you detect and report it.”
He recommends that anyone who gets suspicious emails report them by forwarding the messages to email@example.com.
And of course, adds DiDomenica, “Never provide usernames and/or passwords to any unsolicited requests made by email or by telephone.”
The University is analyzing emails from the BU victims to try to identify any phishing emails connected to the scheme. University officials are working with their counterparts at other schools and with law enforcement authorities to identify suspect IP addresses. BU temporarily shut down its ESS service on January 2 after learning of the breach, and restored the service on January 5 for all except 510 employees who changed their direct deposit information in December. It has notified those workers to confirm that they made those changes; their ESS accounts will remain disabled until they confirm.
In its notification letter to Attorney General Martha Coakley (LAW’79), the University says it will monitor all changes made to direct deposit information through ESS daily until authorities are confident that this scheme is no longer a threat.
Would it be useful if people with bu email forwarded suspect phishing emails to you? I get them on a regular basis. Usually the bad grammar makes me laugh. And the from email address is not bu.
Might be time to add a challenge question to certain levels of login.
You can forward them to firstname.lastname@example.org.
The fourth the last paragraph: “He recommends that anyone who gets suspicious emails report them by forwarding the messages to email@example.com.”
Why isn’t BU asking employees to change their kerberos password? If we don’t they could hack our information anytime, any month.
BU has always recommended you change your password on a regular basis but leaves it to you to decide if and how often you do this. Visit http://www.bu.edu/kerberos to change it as often as you wish.
Anytime, any month….why bother changing it then?
While its always a good idea to change your passwords you this isn’t because a server was hacked and passwords decrypted…actual hacking and phishing are vastly different things. If you weren’t one of the people to give out your password you shouldn’t have to worry about changing your password, though you always can if you want to. Obtaining someones logon and Kerberos shouldn’t allow anyone access to any vital BU systems or info, all vital BU systems should require another form of authentication in order to obtain access to it.
beware, hacked at BU
@XYZ – I am the Executive Director of Information Security at Boston University and part of the team that investigated this incident. Just as you suggest, one of the actions we undertook was to contact the people who had accounts logged in to from suspicious IP addresses and ask them to change their password. If you have not heard from someone in HR or the IT Help Center either yesterday or today, your account was not specifically found to have been accessed by one of the suspicious IP addresses. That said, it is a good idea to change your password periodically precisely to stymie abuse such as this. Is specially if you have used that same password anywhere else but at BU. (Another major way that passwords get compromised is if they are used on a different website that gets compromised.)
Also, scammers sometimes try to leverage events such as this for an additional layer of scamming. If anyone tries to contact you and says they’re going to help you change your password but asks you to tell them what your password is as part of “helping you”, hang up or delete the email. People legitimately from BU HR or the IT Help Center should be directing you to trusted resources on http://www.bu.edu to do this work. Here is where you go for instructions on how to change your password http://www.bu.edu/tech/accounts/kerberos/reset/
Never give your password to anyone, even a friend, coworker, someone from IT or your supervisor.
I agree. Please be advised that I wanted a refund for my money to a canceled LL.M class, after some difficulties for the first time I was asked to give “only” my direct personal account info. Even though I paid by credit card. Also in the past I always had options to pay or get a refund by credit card or transfer as well. This time direct account info was the only option and people assisting me in the process advised me not to take this only option so I had to write an email with specific credit card transfer only.
Touching educational organizations such as BU is not a game, it affects a main pillar of the international flow of money to the US and it’s economy and business trust image locally here in the US as well. It’s a discouragement for many prospective supporters.
Would it make sense to respond to such a threat by giving out false information? Would that help catch the attacker?
A reply from Mr. Shamblin:
“Generally no. Responding in any way just lets the attacker know that a live human is at the other end of that address and they will redouble their efforts. They will also likely sell that address to other spammers/phishers as a “confirmed” live email address. Responding just buys you more of the same.”
This did not impact me, however, I recall seeing the email. This should be a wake up call for both BU IT (IS & Tech), BU IT should encourage employees only to use self-service portals for all activities, and minimize emailing employees and students clickable URLs that require ID and Kerberos passwords in order to access to a page or data.
Noticeably missing from this article is WHAT the University did for the employees whose pay checks were hijacked! As an employee, that troubles me. Were these employees, who earned their pay and did not receive it through any fault of their own, reimbursed through a hard replacement check? Perhaps hand- delivered to their workplaces?
Please let your employees know what happens in a case like this and how it is handled by the University.
Im the Chief Human Resources Officer at BU….Absolutely, all of the employees received the pay due to them and we worked with them on how they wanted to receive the pay – either a hard check or a wire transfer to an account of their choosing. Our goal was to ensure our employees were kept whole.
I don’t think we can say it is through “no fault of their own” – it sounds like they provided their login and Kerberos to a phishing scam. I’m sure there were many other employees targeted who knew better than to give up their information.
Why do I get so many spam emails. There must be something that can be done to prevent this. Other organizations are doing this. Wake up! How do I know my other personal information that BU has is protected.
I am completely with you that spam is an ongoing and very irritating part of life. We do have spam filters an anti spam technology in place at BU, but many people don’t realize that there are two parts to making our defense effective. One we have already done, one needs to be done by you.
Because we have so many different kinds of people here doing so many different kinds of work, it is much more challenging to definitively determine whether a message is really spam or not. The technology we have does not remove a message totally unless it surpasses a certain threshold score. Messages that score lower than “absolutely spam”, are still probably spam but they *might* not be. We don’t want to run the risk of accidentally deleting a message that invites one of our professors to speak at a professional symposium, for example, and such a message may look very much like a certain kinds of spam.
In these cases, our system marks the message as “probably spam” but it’s still lets it through to you. If you would like to improve the efficacy of your spam removal, you can configure your end client to be more aggressive by automatically deleting messages marked in this way.
For instructions, see this page: http://www.bu.edu/tech/comm/email/unwanted-email/spam/
My opinion is that the IS&T security team is doing an excellent job in keeping us all “safe” as we do our work. What we don’t read about is all the successful rejections of network, browser, and email attacks that are happening as you read this. I imagine they could produce log files that would make our hair stand on end. The statement that this affected 10 users is serious, but I think it also means they were doing their jobs and they need to rely on us to follow the best practices and common sense suggestions outlined here – http://www.bu.edu/tech/security/resources/bestpractice/
Finally, a tip of the hat to XYZ!! Change your password regularly and keep it to yourself.
A few things:
One…this has been since the times of AOL and dial up….ISPs, employers, and even store websites would never ask for your passwords via e-mail, if there is an e-mail asking to correct your password via a website it should be just as suspect. If in doubt just contact IS&T if its BU related or customer service.
Two, at the very least check the URL you are on, if its not an http://www.bu.edu/whatever and you have a doubt again contact IS&T.
Three, if you don’t want SPAM in your BU e-mail box, or at least want to drastically cut down on it…STOP entering your BU e-mail into every e-mail request box that you can.
that’s what happens when you take the entire banking system and reduce it to a bunch of 0’s and 1’s as far as these employess being somewhat responsible, that’s nonsense when you mandate they receive direct deposit you bear the responsibility period