By Bobby Kerlik Wednesday, Feb. 25, 2015, 11:24 p.m.
Apparently high-tech schools don't scare away high-tech thieves.
Carnegie Mellon University officials said Wednesday that a phishing email scam was at least partially successful in persuading employees to enter log-in information for what they thought was related to “Your Salary Raise Information.”
“Phishing scams are the one thing that are not a technology issue. It's a knowledge and information issue. You need to train people not to click (on the email scams),” said Albert Whale, president and chief security officer of Pittsburgh-based IT Security Inc. “You need to educate everyone that works at your organization as a member of the security team because they are.”
According to information posted on Carnegie Mellon's website from Mary Ann Blair, director of information security, nearly 200 CMU users received the email Saturday. A link in the email led to a well-crafted copy of the school's log-in page. After providing their log-in information, victims were redirected to campus websites.
The attacker later used the harvested information to access the system used by employees, including work-study and some graduate students, for payroll, human resources and time-tracking information.
Carnegie Mellon officials wouldn't say how many people fell for the scam. Blair's letter stated that “known victim accounts, of which there were relatively few, have been secured.”
Blair said there was no evidence of data being modified.
Blair said the school posted information in December about another scam targeting higher education employees' direct deposit payroll information.
Whale said phishing scams prey on people's desire to benefit themselves or others. The scams work in two ways: One entices people to enter personal information, and the second installs malware on a computer once the user clicks on a link in an email.
“Everyone has an opportunity to become a victim,” Whale said. “Once they're inside, they can sit and wait or can work on escalating privileges. Information is key at universities. There's a bunch of vital financial information, Social Security numbers. It's a target-rich environment.”
Bobby Kerlik is a staff writer for Trib Total Media. He can be reached at 412-320-7886 or firstname.lastname@example.org.