Payday didn't go as planned on January 2, 2014, for some Boston University employees. On that day, about a dozen faculty members discovered their paychecks hadn’t been deposited into their bank accounts. Thieves had changed the victims’ direct deposit information and rerouted their pay. BU's IT security team traced the attack to a phishing email sent to 160 people at the university. The email – which prompted BU faculty to click on a link and confirm their log-in details – led to the compromise of 33 accounts. Thirteen faculty members had their paychecks stolen.
The phishing scam used BU's logo, had believable formatting, and was well written, said Quinn Shamblin, executive director and information security officer at Boston University. The message purported to be from the school's IT security office, and contained specific technical information. The only signs it was a fake were a misnamed IT organization and a misleading URL that wasn’t really a BU address.
“Most standard phishing messages have some kind of easy tell – bad English, not formatted very well, etcetera. This one was excellent,” said Shamblin, who spoke at the Security Professionals Conference, an event put on by Educause in Minneapolis. “This fooled 33 very smart people.”
After BU warned faculty and staff of the paycheck heist, the attackers send another phishing attempt that played off BU’s warning and directed recipients to another bogus site. “The folks who sent the original message were actively watching us,” Shamblin said. “They coopted my authority for a second attack on my people.”
That attack went to a greater number of targets and a great number responded. “But we were watching the back end,” Shamblin said. “We had developed some indicators of compromise specifically related to this kind of attack, and so nobody got their paycheck rerouted this time. But they definitely gave it a second good shot.”
To continue reading this article register now