An e-mail scam hit Temple April 23, when a hacker gained access to a TUmail account and sent mass e-mails requesting that users reply with their username, password and date of birth.
“You should never give out your personal information in an e-mail,” said chief information security officer Ken Ihrer. “Temple University will never ask anyone for their password. Your password is private. I don’t need to know it, nobody needs to know it. That’s a big red flag.”
The hacker gained access to a TUmail account when a user somehow contracted malicious software. Ihrer said the hacker installed a “back door” into the computer, which allowed user credentials to be obtained.
With the TUmail account, the hacker set up an e-mail address that appeared to be legitimate and sent e-mails across the network warning users that if they did not verify accounts by sending the information, their e-mail addresses would be permanently shut down.
Ihrer and Sheri Stahler, the associate vice president of Computer Services, estimated that hundreds of e-mails were sent and that more than 75 users responded with their user names, passwords and dates of birth.
“We have gone through the process of locking all of those accounts because now the perpetrator has their credentials, and we are requiring them to reset their passwords,” Ihrer said.
According to an April 18 post from The Chronicle of Higher Education, at least 86 college campuses were recemt;y hit by a similar phishing scam.
When this scam hit, Ihrer said Temple was in the process of setting up a new technology security initiative called TUsecure.
TUsecure will require passwords to be eight to 15 characters in length and include at least one uppercase letter, one lowercase letter and one number. Special characters will also be an option.
“In addition, there are also security questions that you are going to be mandated,” Stahler said. “So that if you do forget your password you will be asked to authenticate with those security questions, so that’s an additional measure.”
TUsecure will also ask for a user name and password for most applications.
Ihrer said they planned to unveil the new security system on June 2, but in light of the recent scam, they want to put it into effect as soon as possible.
When it goes into effect, an e-mail will be sent out requesting that everyone change their passwords. In order to continue to have access to many programs on the Temple network, users’ passwords must be changed to comply with TUsecure.
Ihrer said that attempts to hack into the Temple network occur daily, but they are seldom successful.
“In the three to four years I’ve been with Temple, I’ve only had a couple,” he said.
The e-mail scam is a federal criminal offense, Ihrer said, and the university has filed a police report.
“The problem is it did come from a West African island, and reality is probably nothing will happen. It’s very hard when you have international issues involved,” Ihrer said. “Our ultimate goal is to shut it down and keep it from happening again.”
Morgan A. Zalot can be reached at firstname.lastname@example.org.