Email scam hooks Carnegie Mellon University employees |

Email scam hooks Carnegie Mellon University employees

Apparently high-tech schools don’t scare away high-tech thieves.

Carnegie Mellon University officials said Wednesday that a phishing email scam was at least partially successful in persuading employees to enter log-in information for what they thought was related to “Your Salary Raise Information.”

“Phishing scams are the one thing that are not a technology issue. It’s a knowledge and information issue. You need to train people not to click (on the email scams),” said Albert Whale, president and chief security officer of Pittsburgh-based IT Security Inc. “You need to educate everyone that works at your organization as a member of the security team because they are.”

According to information posted on Carnegie Mellon’s website from Mary Ann Blair, director of information security, nearly 200 CMU users received the email Saturday. A link in the email led to a well-crafted copy of the school’s log-in page. After providing their log-in information, victims were redirected to campus websites.

The attacker later used the harvested information to access the system used by employees, including work-study and some graduate students, for payroll, human resources and time-tracking information.

Carnegie Mellon officials wouldn’t say how many people fell for the scam. Blair’s letter stated that “known victim accounts, of which there were relatively few, have been secured.”

Blair said there was no evidence of data being modified.

Blair said the school posted information in December about another scam targeting higher education employees’ direct deposit payroll information.

Whale said phishing scams prey on people’s desire to benefit themselves or others. The scams work in two ways: One entices people to enter personal information, and the second installs malware on a computer once the user clicks on a link in an email.

“Everyone has an opportunity to become a victim,” Whale said. “Once they’re inside, they can sit and wait or can work on escalating privileges. Information is key at universities. There’s a bunch of vital financial information, Social Security numbers. It’s a target-rich environment.”

Bobby Kerlik is a staff writer for Trib Total Media. He can be reached at 412-320-7886 or [email protected].

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.