Australian universities targeted in identity stealing phishing campaign

The purpose of the hoax was to obtain email and username details from university student and staff email accounts, warned Auscert.

'VERIFY YOUR XXXXXX.EDU EMAIL ACCOUNT NOW !!!' was the subject of the hoax email which dupes victims into thinking their account needs updating.

The body of the email requested recipients disclose their personal information including their username, email password, date of birth and country or Territory.

Reacting to the Auscert advisory, the University of Technology, Sydney (UTS) sent a warning email to its students and staff.

"We thought we'd send that out as a warning just in case. It was right when new students were coming in and initiating their accounts," said
Peter James from the UTS Information Technology Division. "It was a straight warning just internal for our policy."

The email said: "This is a hoax message from outside the University designed to deceive recipients into providing user identification and password information."

“The University will never request personal identifying details or passwords via email. Please do not respond to this or any similar message requesting confidential information without verifying the source."

"There was no attack, and has been no attack to [UTS]," said James.

Commenting on the phishing campaign, Adam Biviano, premium services manager, at Trend Micro said that criminals are targeting any organisation that offers online services with the potential of stealing student identities and confidential information belonging to the university.

“Beyond the log-in page, criminals could access a student's full name, gender, birth date, phone contacts, citizen status, email address, next of kin, past university results and future study plans, financial invoices and HECS details,” said Biviano.

“Once students have their credentials stolen, criminals have access to a wealth of data behind that login screen. Personal information, test scores and other details which can identify the student become public domain. Students are then potential victims of identity theft, leaving them open to having credit ratings tarnished and being perused by creditors for loans they never acquired.”

For thousands of new students unfamiliar with university protocol, this would not seem like an unusual request, added Biviano.

australiancampaignidentityinphishingsecuritytargeteduniversities