The online entity that accessed the payroll accounts of some Boston University employees earlier in January made another attempt to scam some members of the BU community, officials said.
The hackers sent out a “phishing” email to BU faculty members posing as Internet security officials in order to solicit the usernames and passwords of those employees, said BU Information & Technology Services Executive Director of Information Security Quinn Shamblin.
“The [phishing email] message is designed to take advantage of legitimate security efforts,” Shamblin said. “We saw some of those messages coming in over the weekend with the bad guys trying again.”
BU affiliates received an email from the IT Help Center Sunday notifying the university community about the suspicious emails.
Earlier in January, hackers changed bank account information for 10 university employees, preventing the employees from accessing their paychecks, said Boston University Police Department Detective Peter DiDomenica.
“It started out with one suspicious incident of someone’s payroll check going into another account,” DiDomenica said. “And then through an audit of all the payroll records here, it was determined that there was a series of these fraudulent diversions of payroll checks based on a theory of someone going into each individual’s payroll account and changing the designated account where the money should go.”
The method used by the hackers, known as “phishing,” involves a hacker posing as a legitimate entity in order to lure confidential information from a user, said BU professor of computer science Ran Canetti.
“Phishing is a way to fool somebody into interacting with some entity over the web that they trust, usually by way of making a screen that appears to be coming from a legitimate source or a source that is known to the victim, but actually, they come from somewhere else,” Canetti said. “The main reason that this works is that people are not careful enough to look at the important parts of what they see on the browser to see whether things are legitimate or not.”
Overall, 78 employees received an email from hackers, DiDomenica said.
“People responded to one of these phishing emails and thought they were updating their BU employee accounts,” DiDomenica said. “They were basically giving away their passwords, and once they were obtained, their accounts were changed and their paychecks went off into other banks.”
Because the paychecks were transferred to various banks across the United States as well as some in Africa, the incident qualifies as an international investigation under the jurisdiction of the Federal Bureau of Investigation, DiDomenica said.
“The funds were diverted to banks all across the country,” DiDomenica said. “The IP addresses that were used to make the changes in the employees accounts are from all over the country and other countries. There’s some from Africa. It’s international in scope. This is a federal investigation, so our job is to assist the FBI with their investigation.”
BU IT officials are currently attempting to trace the source of the phishing as well as find ways to block any future infiltration, Shamblin said.
The best way of avoiding phishing is to check for specific labels of legitimacy when engaging in an online solicitation, Canetti said.
“There are generally rules of thumb that you should follow in order to avoid phishing attacks,” Canetti said. “Be wary of any online solicitations, even if they look legitimate … Look for the green lock at the top of your browser. This is how your browser tells you that you’re really talking to the right entity.”