Hackers gained access to the University of Otago staff email
server recently and used it to send out an estimated 1.55
million spam emails in 60 hours, after tricking four staff
members into revealing their login details.
The huge volume of spam mail resulted in legitimate emails
being rejected or delayed by other systems, information
services manager Mike Harte said.
They were re-sent once the spam attack was over.
The staff members responded to "spear phish" emails which
claimed to be from the IT department and asked people to
reconfirm their user names and passwords or their email
access would be withdrawn.
Armed with login details, hackers could comprise an email
address within "a couple of hours", using it to connect to
computers outside the university and send out further phish
or spam emails.
The four staff members who revealed their passwords had not
been disciplined, he said.
"The information security office has a policy of having a
good discussion with campus users whose accounts have been
compromised . . .
"Rather than issue warnings, [we] discuss what actually
happened, why it happened, what the implications are and how
users can prevent anything similar happening again."
Staff were warned in April not to fall for the hoax emails,
after similar emails turned up at some New Zealand
universities.
That warning had now been repeated.
All staff had been told to assume any requests for their
login details were "most likely fraudulent", he said.
"To prevent falling victim to these kind of scams, the key
message for any computer user is that they must treat all
their logins and passwords with the same care as [any other]
PIN - never give it out to any other person."
