Security Alerts
February 20, 2008
Phishing email attack steals passwords
Summary
Stanford users are being subjected to an ongoing "phishing" attack through email messages that ask users to reply with their SUNet account credentials and other personal information.What To Do
Do not reply to any message that asks for account credentials. If you have already replied to such a message, change your SUNet password as soon as possible.Background
Over the holiday weekend (2/15-2/18) many Stanford email users began receiving fraudulent messages asking them to verify their email accounts by replying with account details, including passwords. These messages do not come from Stanford. Their "Reply-To" addresses are anonymous accounts in non-Stanford domains such as "live.com", "gmail.com", and "googlemail.com".
If you receive messages asking for account passwords, please DO NOT REPLY. Neither Stanford nor any other reputable business or institution would ask for your password via email.
These messages are a "phishing" scam, used to trick the unwary into giving their account credentials to an anonymous attacker who then takes over the account and uses it to launch other attacks. We have had several confirmed reports of Stanford accounts being compromised by this scam.
The ITS email team began blocking these incoming messages at the central mail servers on Saturday, February 16. As a further precaution, replies to the currently known attackers' addresses are being blocked at the central servers to prevent exposing any more accounts.
Because the attackers are using anonymous accounts, they can change addresses at any time to avoid identification. ITS will continue to block new addresses as they are discovered, but it will continue to be an arms race and blocking will never be 100% effective. So be on the lookout for new variations of this scam, and remember that you should never send someone your SUNet password for any reason.
Thank you,
Stanford Information Security Office