As online hackers continue to pose a risk for members of the Boston University community, employees will be barred from making changes to their accounts in order to prevent future attacks, officials said.
Because hackers have been rerouting the direct-deposit locations of faculty members’ paychecks, faculty will be temporarily unable to adjust the location of their paycheck deposits, said BU Information & Technology Services Executive Director of Information Security Quinn Shamblin.
“For the time being, we need to make sure that any change to any bank account information is legitimate change, and it’s not a change initiated by the bad guys.” Shamblin said. “The measures that we have put out, for the time being, are designed to help ensure that any requests to change this are legitimate.”
Shamblin said similar attacks have been identified at universities other than BU, prompting intervention from the Federal Bureau of Investigation.
“The FBI is involved in analyzing the scam at a national level.” Shamblin said. “Many universities are seeing the same kind of activity, and so we are working with the FBI to coordinate information services so they can take actions a little more broadly that we can right here.”
These attacks, known as “phishing,” involve imitating official university emails containing a link to a fraudulent website where users are asked to log in, effectively providing the hackers with access to their personal accounts, Shamblin said.
In January, hackers used phishing emails to obtain the account information of 10 BU employees. The hackers then changed the banking information for the accounts, so employees were unable to access their paychecks.
“Right now, we are under a series of attacks by some criminals who are attempting to steal information from BU employees by accessing the employees’ accounts,” Shamblin said. “They are then using that information to change where the paychecks are routed and what bank the paycheck goes to.”
As phishing among BU accounts has become increasingly common, the quality of the fraudulent emails has become more sophisticated than the originals, Shamblin said.
“The quality of these messages varies wildly, so some messages are relatively easy to check,” he said. “Most people looking at those messages would not believe those messages to be real and would not respond, but we are seeing messages that are of a little higher quality, a little bit better at pretending to be from BU or doing something else that makes people more likely … to click on links.”
In order to enable members of the BU community to take proper measures against future hacking attempts, Shamblin said I&TS will provide education on online fraudulent activity.
“One of the things is to improve people’s understanding of common scams so they can recognize them more effectively,” he said. “They can test messages that come in more effectively to determine whether they are fraudulent or not.”
Azer Bestavros, the director of the Hariri Institute for Computing at BU, said preventing phishing scams becomes more difficult as their level of genuineness increases.
“In the early days the content of the emails would be laughable, but right now they are more sophisticated in the way they put logos of bank accounts and things of the sort so that they hide their identity well,” Bestavros, a College of Arts and Sciences professor of computer science, said. “I do not think they are hard to prevent, it is that people have to be alert.”
Educated and alert users are more important than technical controls and protections, Bestavros said.
“If you have a home and you lock all the windows, but keep the front door open, that does not help you,” he said. “The weakest link is the easiest way an intruder is going to come through and typically that is going to be an unsuspecting user that perhaps does not take the right precautions.”