Recent instances of cyber attacks at Université de Moncton have raised questions regarding server security and identity theft on campus. On March 2, the U de M community received the ninth email in a malicious string of messages that started the previous week and included revealing images of a female student.
The university’s IT department reported that cases of this nature are part of an ongoing problem that is not limited to U de M.
André Lee, U de M’s general director of technologies, said cyber attacks are a constant threat to universities across North America. “This is something that all institutions are vulnerable to, not only education institutions. It’s a public security matter,” Lee said at a press conference.
The Mount Allison community is not immune to cyber attacks. These threats often occur as phishing scams, online attempts to acquire sensitive information by imitating a trustworthy entity. While the Mt. A Computer Services Department (CSD) works to filter unwanted or malicious emails, several dozen students have been victims of phishing scams this academic year.
These scams often resemble emails from reliable companies and individuals. At Mt. A, they sometimes claim to be from “HelpDesk,” “mta.ca support” or “mta.ca.team.” The emails usually state a fraudulent threat to the account and ask students to click on a link or provide personal information, such as a username, password and credit card number. Successful scams can result in account takeovers and identity fraud.
Fourth-year student Savannah Harris realized her student email account was compromised after not receiving any emails for a few days in January. When Harris contacted the CSD, they informed her that all her emails were being redirected to an external account.
“I just wasn’t getting emails for a few days,” Harris said. “I went to the [CSD’s] Help Desk to see what was up and they told me that somebody had hacked into my account and put a forward on email – so they were getting all my emails.”
Harris said the CSD was able to reset her account and password within a few hours of being informed of the situation. Harris was notified that she must have clicked on a link or jeopardized her account information in some way, but she has no recollection of this.
Robert Hiscock, Mt. A’s director of marketing and communications, said the majority of the cyber threats directed at the Mt. A community operate as nuisances and account disruptions, but a small percentage are criminal or malicious in nature. Hiscock also noted that phishing scams can operate as a form of identity theft, when an account is taken over and used to send emails unbeknownst to the account’s original owner.
“If someone was able to get your username and password, they could act like you, so that’s why we try to track these things and make sure there are no breaches,” Hiscock said. “If there are, you have to take them seriously.”
According to Hiscock, if the CSD discovers a compromised account, they will confirm the identity of the owner and reset the account. This process sometimes requires shutting down the account for a couple of days.
Jenna Gaudet, who graduated in 2015, recently had her Mt. A email account compromised. Gaudet signed onto her account, which she has continued to use after graduating, and found over 2,000 failed messages that had been returned to her inbox overnight.
“Some company called ‘Chase Online’ had sent a mass email to thousands of recipients, using my email address as a ghost address so the ‘customers’ could not reply,” Gaudet wrote in an email to the Argosy. “For any email address that was invalid, the failed delivery message bounced back into my inbox. There was nothing in my ‘sent’ folder. Just a couple thousand unwelcome messages, and one reply from an actual recipient saying they do not have a Chase account.”
Gaudet said the Help Desk, a component of the CSD, quickly responded to her complaint when she informed them of the mass emails, but the Help Desk could only instruct her to change her password and was unable to immediately stop the influx of failed messages. Although the emails eventually stopped arriving in her inbox, Gaudet has stopped using her Mt. A account.
Hiscock said the CSD is trying to be proactive in response to the recent cyber attacks at U de M. “We’ve strengthened our filters and reviewed all of that since this story broke, and I know they are examining places where one can find emails,” he said.
Along with investigating the security of campus email directories, of which the student directory is currently password-protected, Hiscock said the CSD is also planning to implement new password requirements that will avoid patterns and predictability.
If Mt. A account owners receive any emails with questionable origins, the CSD encourages them to delete the email or contact the Helpdesk for verification, but to avoid clicking on links and refrain from providing personal information.
“I think students can have a proactive role here,” Hiscock said. “Don’t just assume that everything is as it seems because you see [that] Mt. A Helpdesk wants you to click on a link.”