Spammers Compromise MIT Users’ Accounts Using Phishing E-Mails

Throughout March, spammers sent a wave of fraudulent e-mail messages claiming to be the “Mit Webmail team” and requesting recipients to “comfirm” their accounts by replying with their passwords. About a half-dozen people have sent their passwords to the attackers after each e-mail, said Jeffrey I. Schiller ’79, MIT Network Manager.

Victims sent their passwords to foreign locations including Hong Kong, said Schiller. Attacks in which e-mail recipients are tricked into revealing their password, called “phishing,” have hit MIT with increasing frequency. “It’s been building up to a crescendo,” Schiller said.

Some of the messages have come from MIT’s own Webmail service and from other universities’ Webmail services.

“All it takes is one person at MIT to be weak and respond to the message,” said Schiller. In an attack last Thursday, one of the compromised accounts, belonging to Shun Kanda, Senior Lecturer in the Department of Architecture, was used to send more fraudulent e-mail via Webmail.

About 20,000 people receive each wave of phishing messages, Schiller said.

Phishing “hasn’t really been an issue for us until recently,” said Schiller. MIT is not a bank or a credit card company, so compromised user accounts aren’t worth very much. But recent advancements in antispam technology have made authentic user accounts a valuable commodity. Mail sent from a college is more likely to be received than is mail sent from a compromised computer in a network of robots.

Unauthenticated e-mail — sent through MIT servers without validating a sender’s Athena credentials — is easy for spammers to abuse, Schiller said. Authenticated e-mail, in which MIT indicates that it has verified the sender has the right Athena username and password, is considered more trustworthy and is harder to send. “We try really hard to keep the spammers off” of authenticated e-mail, Schiller said.

To prevent future abuse of the Webmail system, MIT has limited the number of e-mails that a Webmail user can send to fifteen per fifteen minutes, Schiller said.

Spam sent from MIT servers has been a perennial problem. In 2003, AOL blocked all e-mail from MIT for five days. AOL eventually agreed to accept all e-mail from MIT, provided that MIT first check each message for spam content.

Other Internet service providers have periodically blocked MIT e-mail, with access usually restored within a few days.

Schiller said that MIT’s Information Services and Technology is working to fight spam. And, he said, we “will never, never, never, never ask you for your password.”

Michael McGraw-Herdeg contributed to the reporting of this article.