Doug Mendenhall, instructor of journalism and mass communication, checks his email every night before shutting his laptop and going to bed, not expecting any form of danger to threaten the safety of his home. However, without his knowledge, a surge of data has begun to transmit from his ACU Banner account. Thousands of data bytes of valuable information have been accessed by foreign entities. In a matter of minutes, Mendenhall’s hard-earned salary had been transferred to an out-of-state account.
“They went in and changed my direct deposit information to a bank that’s in Tennessee. I had never heard of it before,” Mendenhall said.
The hackers were quick and flawless. Before Mendenhall could realize something had gone wrong, they were in and out faster than any physical robbery.
ACU’s decision to become a more tech-savvy campus has allowed the university to provide information faster than people can keep up with. With just with the swipe of a screen or a scan of a code, anyone with a connection to the Internet is capable of feats that individuals in the 90s could only dream of. Improvement in the cyber world contributes to society, but many have begun to take advantage of its capabilities. Like the suspicious van on the corner of the street, an email with a link asking the user to step in for a moment may not be as safe as one would think.
The rise in availability of all kinds of technology at the university has put ACU on a better path toward higher education. Though the campus is a safe place with little crime, the technologically-filled campus unknowingly gave criminals a route onto campus through the internet. The threat of more hackers sneaking their way into ACU’s servers through phishing emails has caused the university to increase awareness about cyber crimes.
Rerouting Money to Out-of-State Banks
In November 2013, every ACU email account received a notice to click on a link that began an organized, cyberspace attack. After the first encounter with suspicious messages, some individuals who opened the webpage lost personal information. However, by Dec. 3, six ACU employees had their salary rerouted to two banks in Tennessee and Virginia, while a total of 17 myACU accounts had been accessed by outside users.
Mendenhall was one of the six employees who did not receive a payment to their account.
Mendenhall said the hackers went into his ACU account and changed his direct deposit information to the out-of-state bank. When he checked his banner, he saw the other bank and routing information that was not his.
The fake emails were constructed very well. Users could not tell whether it was phishers attacking or an official message. When the problem first began in November, ACU pushed for password changes across campus. Although password changes were met with some unhappy users, a periodical change in passwords helps increase security for everyone.
Kevin Roberts, vice president of planning and operations, said the next step for the university was for IT to investigate computer files.
“This is a great reminder of why it’s so important to be diligent about your passwords, that they are secure and changed routinely,” he said. “If you receive an email that seems suspicious or looks odd, don’t respond to it. Call and ask the help desk.”
According to an article by Microsoft on tips for creating a strong password, your first line of defense should comprise of:
- At least eight characters
- Does not state your user name, real name, or company name
- Does not contain a complete word
- Is different from previous passwords
- Contains uppercase and lowercase letters, numbers and a variety of symbols on the keyboard
- Lastly create acronyms of events, easy-to-remember information or sentences
For example, a strong password would look like, “M^Rii<32$ho9” from a simple sentence, “Mary loves to shop.”
Lieutenant Randy Motz from the ACUPD said the issue with the cyber-attacks is that ACU’s network was not breached in any way; The phishers simply fished people with baits who clicked the suspicious link and were sent to another location off ACU’s servers. When the user is no longer within ACU’s security, any information given at that point is unprotected.
Motz said ACUPD has collected as much information as it could and turned the case over to the FBI. They have not received any new information.
“The phishing attempt was not random,” Motz said. “A few other places in other states were attacked by the same perpetrators. It was very well-organized.”
Authorities are aware of about 30 other universities who suffered the same attack.
“It appears to be part of a much broader effort on the criminals’ part,” Roberts said.
ACU’s Defense in Depth Strategy
Arthur Brant, director of networking services, said ACU’s cyber security employs a strategy known as Defense in Depth.
“At the heart of this strategy, is the recognition that security requires multiple safe guards and these safe guards reside at various levels,” he said. “Often, this strategy utilizes the analogy of an onion, which has many layers, to best illustrate what is implied with a Defense in Depth strategy.”
The first layer consists of an overall firewall protection residing between ACU’s network and the internet connection. Similar to a gated community, only specific services and businesses are allowed through the firewall. This is seen in blocked sites that are not accessible from on-campus connection.
The second layer is host-based firewalls for individual servers on campus. In the event the primary wall was breached, this secondary fence acts as another layer of protection.
The last layer of defense is the use of unique usernames and strong passwords that can be compared to owning a faculty/student identification card.
For added security, ACU also uses anti-virus softwares, such as Sophos, to keep software, servers, files and applications updated and requires users to log into workstations.
Elevating Awareness on Campus
Chief Jimmy Ellison of the ACU Police Department said, “A number of ACU users were fooled by these phishing attempts and clicked on and followed the links, then provided their username and passwords.”
Cyber-related crimes are becoming more frequent and increasingly complex because of the Internet, he said.
ACU’s response to the phishing attempts is to continue to remind the campus that ACU would never provide a link to change passwords, but rather they would provide instructions, said Brant.
“Official communications regarding passwords will come from the Helpdesk or Team55, not system administrators or webmasters,” Brant said, “and that users should never respond to emails requesting for personal or financial information.”
ACU increased the frequency of this message and partnered with ACUPD to increase individual awareness. Each user has a role in ensuring ACU’s systems and services are secure.
Kay Reeves, executive director of information technology, said IT has communicated with ACU through emails, blogs, newsletters, computer screen pop-ups and messages at login.
“The best way to stop it is for users to be aware and not fall victim to it in the first place,” she said.
In a recent story by Optimist reporter Rachel Fritz, she listed a few things students, faculty and staff can do to not fall victim to phishing attempts.
- Official messages from ACU regarding password changes will always include instructions for making account or password changes – official ACU messages will never include a link to click on as a means of gathering or changing your information.
- Never respond to any emails requesting personal or financial information.
- Report suspicious emails by clicking on the arrow in the top right of the message (the Reply arrow drops down a menu) and choose “Report Phishing.”
- If you did click the link in this most recent phishing attempt email, and did enter your information, change your password by using the “Change your password” link on MyACU, and also contact the ACU Helpdesk to inform Information Technology that you entered your information on a phishing attempt.
- If you ever have any doubts or concerns about an email you receive, never click on any links or otherwise reply with any personal information. Contact the ACU HelpDesk for verification and assistance.
If the attackers are able to lead people away from the firewalls, stopping these phishing attempts is not an easy task. The only way to stop the hackers is to educate users about the dangers of emails requesting personal information.