There has been a recent increase in cyber attacks, known as phishing, at Clemson University. Clemson Computing & Information Technology (CCIT) has reacted to these phishing scams by adding additional countermeasures to their security.
Michael Belanger, Help Desk Manager at CCIT, said, “Phishing has been a growing issue for a while now, but there are several things we are doing to address the problem.”
The main addition designed to counter the attacks is a two factor authentication system, or a 2FA system. Two-factor authentication requires something you know (your password) and something you have (your phone). It will essentially follow up login attempts to a system by requiring verification on your phone.
“Even if someone tricks you into giving up your password, they still don’t have your phone so they can’t access your account if it’s protected by 2FA,” Belanger said.
Beginning Tuesday, Feb. 21, all Clemson users can enroll in Duo Security, the University’s provider of 2FA. Campus systems will then start requiring a 2FA through Duo beginning with the campus’ Virtual Private Network (VPN) on March 7.
While the addition of 2FA in the process, a more recent change has already been made by CCIT including an overhaul of the login page, which occurred on Feb. 14.
In the last several weeks, students felt the effects of phishing more directly when an email supposedly from President Clements was sent out containing a PDF designed to get users’ information.
Belanger said he believes universities are especially vulnerable to being targeted by phishing scams.
“Universities contain a vast wealth of resources available to users. A single account can grant access to research resources, financial resources or computing resources to launch additional attacks.”
The US accounts for 81 percent of all phishing attacks and hosts 59 percent of all phishing sites. Similar types of cyber attacks have taken place in the recent past such as the infamous Nigerian Prince scam. The “Nigerian Prince” managed to scam people out of $9.387 billion in 2009 and it was estimated that out of every 1000 emails sent, 10 people would respond and at least one person would send money.
Unfortunately, phishing emails have moved away from the bad grammar and spelling common to the early scams. They frequently look legitimate, and as if they are from the correct person.
Dr. Richard Brooks, a professor of Electrical and Computer Engineering whose projects in network security have been funded by the National Science Foundation (NSF), Department of Energy (DoE) and the State Department, said this more advanced method is known as spear phishing – “usually email is unencrypted so someone with a phishing scam will just watch the traffic before targeting a specific person.”
Brooks said he also believes that more should be done in general to combat cyber attacks.
“2FA is a step in the right direction, but unfortunately there’s a limit to having a security system based around passwords.”
He was critical of how many counter-measures treat users as well.
“Often times, counter systems will still blame the user, but these phishing scams are getting so much more sophisticated,” he said. “With the Clements email, I believed that it was from him and was going along up until it wanted my information in the PDF.”
His recommendation to anyone is “to be skeptical of your emails” and to “avoid clicking on links in emails as often as you can.”
Belanger offers another approach, since, “Knowing what to look for in the first place is the hardest part.” He is working on a project to teach students what to look for. In the meantime, he emphasizes that if students feel that they have fallen for a phishing scam, they should “change their password and contact us [CCIT] immediately.”
For more information on the CCIT system updates, you can go to http://ccit.clemson.edu/news/safe-computing-update/