A phishing attack Tuesday, labeled as a critical alert, caused several students to fall prey to scam and e-mails were delayed by almost two hours.
Technology Services Help Desk staff member, Steve Kuchta stated in a critical alert issued by Technology Services that the VCU community reported a new phishing e-mail with a link to a Web site mocked up to look like the VCU Central Authentication Service login page.
“The (e-mail) uses a fake VCU (e-mail) address, VCU WebMail (service@vcu.edu) and asks the user to click on a link to verify their account information,” Kuchta stated.
According to Kuchta, students were advised not to click on the link and to delete the e-mail message immediately. Attempts to log into the fake site sent personal eID information to an account outside the university.
The phishing e-mail scam not only impacted several VCUmail users but the major service outage affected a large number of people, according to Technology Services.
Thousands of outgoing e-mails caused an extreme bottleneck effect at the secure outbound server, causing the valid e-mail delivery to be delayed.
The Student Government Association’s Technology Director Kanwar Anand stated in an e-mail to SGA members the problem had been resolved.
According to Anand, the SGA is mandated by “Senate (21) Personal Information Protection Act of 2007-08” to work with the respective offices to prevent such an incident from happening in the future.
“We will work with Technology Services and the Office of Chief Information Security to prevent such an incident from reoccurring,” Anand stated in the e-mail.
In the critical alert, Kutcha advised students to check the link by hovering the mouse point over the link and viewing the URL (Web address) that typically is displayed at the bottom of the e-mail application before clicking a link in an e-mail that was not expected. Students unsure about the validity of the link should contact IT support for guidance.
In Tuesday’s phishing case, the URL was for a page on a site in Russia.
Students who have already attempted to log in using the fake CAS site, please contact the VCU Technology Services Help Desk immediately at 828-2227 to reset the eID password. For future reference, to verify the authentic VCU CAS page, make sure the Web address begins with https://login.vcu.edu. For more details concerning phishing scams please visit the VCU Technology Services Information Security phishing Web site at www.infosecurity.vcu.edu/phishing.