Student loan funds threatened by clever phishing scam
In recent years, the MSUM IT department has been fighting increasing waves of spam sent to both student and staff email accounts. In early January, the battle became financially critical.
During the second week of the semester, scammers disguised as the IT department sent 900 emails to MSUM students asking them to change their StarID password through an included link. The page was incredibly realistic and mimicked the look of MSUM’s official website.
“This was a pretty sophisticated attack in the sense that the email that was sent appears to be pretty legitimate,” Chief Information Officer Daniel Heckaman said. “It basically said that the IT department over the break was doing an email upgrade and had wanted to verify the student’s account for use, and in order to do that, you needed to provide your credentials so we didn’t shut off your email. Which, that alone is sort of a red flag because we don’t shut off anybody’s email.”
According to Heckaman, about 60 students entered their information and had their accounts compromised before two waves of emails were discovered and removed. The attackers then used login credentials to enter students’ eServices accounts and reroute student payroll and financial aid overage money to a Visa gift card bank account in California.
Fortunately, the scammers made a mistake in the routing number of the bank, which caused a red flag alert to be sent to the university’s business office at 12:04 a.m. on Jan. 17. The office discovered the alert that afternoon while students were coming in voicing direct deposit routing number concerns.”
“I first heard about this attack when I received an email from Dan Heckaman telling me I was a victim of the attack,” student Jonathan Walker, who was impacted by the scam, said. “I was told to just change all my passwords, check my bank account routing numbers to ensure they were correct and keep an eye on my checking account balance to make sure they are not taking money from my account.”
After a day of intense work in the business office making sure students’ funds were frozen and the false routing numbers removed, the worst of the danger had passed. However, Heckaman still had to go in and remove the two waves of spam emails from student accounts, and the IT department was on alert for a third.
“There was a second campaign that happened, and so we got on top of that. We started to track that down, and that caught a few students. And then there was a suspicion of a third campaign starting, so we kept our eyes on that,” Heckaman said.
After that, the priority was investigating how this situation happened and letting the affected students know when they should expect their overage funds.
“Ultimately the core of the message to our students was, ‘We want to make sure you get your money that you’re expecting and make sure we’re not giving it to somebody else; we want to give it to you.’”
Finally, on Jan. 19, Heckaman released an official statement to the MSUM community, writing, “Earlier this week, a small number of student StarID accounts were impacted by a well-designed phishing attack. This issue is nearly resolved for all students involved, (sic) however it has created a fair amount of confusion and concern that all of us should be aware of.” He went on to name several ways for students to be vigilant in their digital accounts.
The statement did not include numerous details of the attack, including the subject line and content of the phishing message, the exact number of students targeted and victimized, what information the attackers were looking to acquire or what the university was planning to do about future attacks—a very likely reality.
“I am very concerned about being targeted for another attack,” Walker said. “I do not like having my checking account info out there.”
By intention, scam attacks are cyclical and revolve around the academic calendar. For instance, other Minnesota State universities, including St. Cloud State University and Minnesota State University Mankato, have both dealt with very similar spam attacks at the beginning and end of the semester. In this attack as well, multiple universities were targeted.
“I know there’s resources put at (the attack) right now (by Minnesota State), partly because this particular attack didn’t just affect our campus; it affected others within our system,” Heckaman said. “And so, sometimes misery loves company. That draws attention to the system office as well to make more global system changes when they know it affects a broader group of campuses, not just one. So in some ways that’s helpful. As painful as it is, it’s helpful to get the attention and get things cleaned up.
Students’ loan disbursements ended up being released on Jan. 22, either via direct deposit for most students or via check for those whose information was tampered with. For Walker, it has been a lesson in trust with the university, and one he is not keen to repeat.
“Yes, it alters my view,” Walker said. “I do not trust the MSUM webpage to keep my information safe. I hate having my banking information on it.”
The university has started working with the Minnesota State system to develop additional security measures for students logging in to their accounts. Currently, Minnesota State is developing a two-factor authentication system similar to those used by banks. This requires users to enter something beyond a username and password to log in to an account.
“We’ve been working with the system office who controls the eServices system to work to build in a two-factor authentication mechanism which would probably mitigate—it’s hard to say that it would mitigate all the issues—but it certainly would’ve insulated the students who provided their StarID and password. The hackers would still need another piece of information that wasn’t provided.”
Minnesota State is also issuing a new service it has dubbed the “Internet Guardian.” The service, set to launch on Monday, shows up as an error-style screen warning viewers that they were blocked from visiting a malicious website through a phishing link or other false connection. So far, the service is available only on campus computers and computers connected to the university’s internet. A second phase of the project is apparently aimed at spreading the Internet Guardian to students’ computers even off-campus. Still, Walker is not impressed with the system’s security so far.
“MSUM really needs to secure their webpage if they expect us to have confidential information on it,” Walker said.
This is a developing story, and we hope to hear from more students impacted by the attack. If you or someone you know were victims of the phishing attack, contact us @MSUMAdvocate on social media or by emailing firstname.lastname@example.org.