by Kiara Posey
Troy University was recently faced with a security incident affecting faculty, staff and students. Many experienced a large-scale social engineering attack, where adversaries masqueraded themselves as Troy IT.
Users received phishing emails claiming their mailboxes had hit their quota and urged them to follow the embedded instructions. In addition, the scammers made telephone calls impersonating Troy IT— going so far as manipulating caller IDs to phone numbers assigned to Troy University.
Troy IT has since found the source of the scams and is taking action with a variety of resources.
“It was a very large social engineering attack against Troy University,” said William Greg Price, Troy University’s Chief Technology Officer and Chief Security Officer. “The messages had all of the hallmarks of a well-designed phishing exercise.
“It used Troy University logos, colors, and some of the language used in the messages would suggest the people who crafted the message had perhaps seen an email message from the University.”
Price wanted to applaud all of the users who received the false messages and did not fall victim to the ruse. Over 45,000 accounts are active, a majority of which are students, and only 21 users fell victim to the charade.
“Given the sophistication of the attack and the volume of messages that were being delivered, for that few of people to fall for the ruse is rather remarkable,” Price said. “It speaks highly of how aware the user base is at Troy.”
While phishing attacks are common, this particular attack was effective because the messages came from a troy.edu email address.
The essence of a social engineering attack is when a bad actor tries to convince someone through social skills or social techniques to do something— i.e., provide usernames and passwords or financial information.
“For the most part, people are inherently trusting of others,” Price said. “Whether a person is trying to socially engineer them over the telephone, via email, or in person, a lot of people will believe what they are hearing or what they are reading.”
The most common reason scammers try to gain access to user credentials is financially motivated. Or they may betrying to gain access is to further their social engineering attacks to another entity, which is what happened to Troy University.
“The group that started the activity against Troy had compromised another university in the northern part of the state of Alabama,” Price said. “Some of the handful of people who were victimized early on in the attack believed they had received messages from another university.”
Price said there are three main ways to spot faulty messages.
One is a sense of urgency in the messages. Secondly, the messages are not composed correctly. In this instance, the graphics may be incorrect, or the sender email address may be misspelled. Lastly, a multitude of grammatical errors present is an indication that the message is a social engineering attack.
“Those three things are easy ways to detect that there is something not quite right with the email message,” Price said.
Troy University Police were made aware of several attempts to scam family members of students. Reports indicate that an unknown subject claiming to be a TUPD Officer is calling family members stating that their family member has been arrested. The subject has requested money via a mobile cash app in exchange for the release of the student.
If you are contacted by anyone claiming to be a TUPD Officer and is requesting money, DO NOT transfer any funds. Immediately notify Troy University Police or your local police department.