Scam emails from compromised CSU accounts attack campus inboxes

Samantha Ye

Students and staff beware: a fresh wave of fraudulent emails have struck Colorado State University inboxes.

Offers of fake jobs, faculty opportunities and demands to sign a digital document have popped up in higher volumes than usual this semester, with many coming from compromised CSU email addresses.

Ad

The number of attacks in the past week, while not unusual, has come in at rates several times higher than the normal “background noise” level, said Steve Lovaas, CSU information security officer.

Part of the reason is the time of the year. A start of a new semester means most everyone has new schedules and some people may be new to campus.

“(The attackers) are counting on a few people not knowing for sure whether they should click or not and going ahead and saying ‘OK, I’ll click on this and do what they ask,’” Lovaas said.

The start of last fall semester also saw a number of attacks aimed at getting access to student’s RamWeb accounts.

“Email scams are not uncommon, and these scams are not necessarily singling out CSU,” CSU Police Department detective Jason Dobbins wrote in an email to The Collegian.

Scams come in many forms but all have the same end goal of obtaining someone’s personal information or objects of value. While scammers are becoming increasingly creative in their attacks, you can still look for telltale signs such as unusual demands for money, Dobbins wrote. Scams are often high pressure and often involve threats or unbelievably good opportunities.

Recent attacks have leaned more toward scams like fake part-time job offers. The Career Center sent out an email at the beginning of the semester instructing students how to detect fraudulent job offers during this busy recruitment season.

screenshot of fraudulent job offer email
A questionable email recruiting for a “100% legit part time job” appeared in many students’ inboxes last week. Riddled with mechanical errors, the message promises earnings of $2000 a month working for less than three hours a week and urges students to apply through a link. Various versions of the message appeared to have been sent from different CSU email addresses.

“As students are getting ready for summer internships, getting ready for graduation, we tend to see a spike in this type of activity,” said Jon Cleveland, executive director of Career Services.

About 10 to 20 fake job listings are reported to the Career Center every year, Cleveland said.

Some are about scams which made it onto RamWeb listings, though the center has a team which screens each individual job listing, making those occurrences rare.

Ad

More commonly, fraudulent scams come from direct communication through public accounts like LinkedIn or through student emails, Cleveland said. Students’ CSU emails are available on the CSU Directory unless the student removes it themselves.

Cleveland highly recommends students check with the Career Center if they feel something is amiss with a potential job posting.

“By all means, contact the Career Center,” Cleveland said. “Students should never hesitate to reach out to us to get help with that vetting process.”

In addition, the Student Employment Services website contains a section on dealing with employment fraud.

Common signs can be if the offer is unsolicited or if it is hard to identify the employer or recruiter, as is often the case in “personal assistant” roles.  If the pay sounds too good to be true in relation to the workload, that can be another red flag, Cleveland said.

Sometimes, scammers will pretend to be associated with CSU to appear more legitimate as well. In the recent rash of scams, many came from what appeared to be CSU email addresses, and the apparent “senders” were listed on the directory.

“Once one person’s credentials are compromised, that one person’s email account can be used to spread an awful lot of phishing internally. And that can escalate pretty quickly.” -Steve Lovaas, CSU information security officer

Broadly speaking, there are two primary ways to send fraudulent emails, Lovaas explained.

The first involves forging the sender name of an email so it appears to come from an address the recipient may trust. Those emails come from external servers, and while fairly easy to fake, CSU security filters are also better at catching them.

The bulk of these recent attacks, however, have come from compromised CSU email accounts, Lovaas said. Attackers who obtain users’ login credentials through various means can send out emails as that person. Although CSU’s password length and update requirements do not lend themselves to this, breaches can still happen.

If an attacker is skilled, they can then craft more targeted, legitimate-looking attacks and convince other internal users to hand over their information.

“Once one person’s credentials are compromised, that one person’s email account can be used to spread an awful lot of phishing internally,” Lovaas said. “And that can escalate pretty quickly.”

That’s why Academic and Computer Networking Services are working “fast and furious” to resolve the security breaches, Lovaas said. This involves disabling compromised account passwords, informing owners of those accounts, and cleaning up as many suspect emails as possible from inboxes which have not yet opened them.

Those whose accounts that were breached are asked to complete a short, video-based training program about online safety.

If you receive a scam job request, several steps are available to you
1. Delete the email and move on.
2. Send the email to abuse@colostate.edu for them to evaluate.
3. Report the message to the Career Center if you are unsure of its validity.
4. Contact CSUPD at (970) 491-6425 if you feel unsafe.

CSU emails are either Office 365 or Google Suite accounts which, for attackers, means they can reach a wide target pool by subverting just one set of common filters. In light of recent attacks, ACNS is evaluating additional protections, Lovaas said, but they would not be cheap.

“Cloud-based security tools tend to be quite expensive and so it’s an exercise in prioritizing budgets,” Lovaas said.

For those who want to see if their email has been compromised, Lovaas suggests running your email through Have I Been Pwned? for a basic search.

If anyone has further questions about the security of their account, they can reach out to Lovaas at steven.lovaas@colostate.edu.

If a student receives a scam email, Lovaas said they can simply delete it. They can also forward it to abuse@colostate.edu which deals with such things and would allow them to take quick action. 

CSUPD is able to take action in response to a crime–in this case, if someone has lost funds due to a scam, Dobbins wrote. If a student has lost money, given out personal information in a scam or feels unsafe from the emails, they should contact the CSUPD at 970-491-6425.

Samantha Ye can be reached at news@collegian.com or on Twitter @samxye4.