Campus Announcements

Phishing updates from CITES Security

4/3/2013  10:30 am

Updated April 8, 2013

Dear Colleagues,

I write to update you on the problems we have been having with campus email.

As of Friday, we have been taken off all blacklists.  This means that you should not have any problem sending email to people outside of the campus email system.

However, we are still not completely out of the woods yet.

In order to prevent a recurrence of these problems, it is necessary for us to take reasonable measures to ensure that we do not experience the same issues again.  The next step we must take is to block certain file attachments, since file attachments are one of the main avenues for attacks on our email system.  

Included in the list of attachments that will be blocked are any archive file formats, such as .zip files, that are password protected or encrypted. This is because our systems cannot scan compressed files that are encrypted/protected to check for malware, viruses, or phishing attempts.   Archive files that are not encrypted or password protected will not be blocked. We plan to implement blocking of specific attachment files this evening.  Filtered file types are listed on the CITES Security web site (security dot illinois dot edu).

If there is a blocked file type you need to send or receive, CITES recommends using Box to send and receive files. Box can be used to share files with people at Illinois and people not affiliated with the University. More information about this change and how to send and receive files with Box can be found on the CITES Security web site (security dot illinois dot edu).

We again thank everyone for their patience and understanding.  Please feel free to contact us with any concerns at 217-244-7000 or email: (consult at illinois dot edu). 

Sincerely,

Greg Gulick, Deputy CIO, University of Illinois Urbana/Champaign

Mike Corn, Chief Privacy & Security Officer, University of Illinois Urbana/Champaign

 

Updated April 5, 2013

As part of its continuing efforts to better protect the University from phishing emails and malware, CITES will block certain file types from being sent and received as email attachments. This change will take place on the evening of Monday, April 8.

When an attachment is blocked, a text file will be attached to the email notifying the recipient that an attachment was removed. CITES does not expect these blocks to directly impact most email users, as common formats of documents, spreadsheets, PDFs, and graphic files will not be filtered. The file type that may cause the most impact are .zip files, which are frequently used in propogating malware across networks.

If there is a filtered file you need to send or receive, CITES recommends using Box to send and receive files. Box can be used to share files with people at Illinois and people not affiliated with the University. More information about this change and how to send and receive files with Box can be found on the CITES Security web site.

 

Updated April 3, 2013

CITES is continuing to work on reducing the number of accounts compromised by phishing emails and other methods, as well as minimizing the negative effects that compromised accounts can cause.

As of 3 pm on Tuesday, April 3rd, the University of Illinois was still on Trend Micro's blacklist. This means that Illinois email messages are still being blocked when they are sent to customers and organizations that use Trend Micro's email filtering service. 

The good news is that the longer the University goes without any new incidents, the more likely it is that the University will be removed from Trend Micro's blacklist. In the last two days, the University has not experienced any new incidents that would jeopardize our chances of being removed from the blacklist.

In an effort to further improve our chances of being removed from the blacklist, CITES is contacting specific email users and requiring them to reset their passwords. More information about this particular approach can be found at: https://security.illinois.edu/content/authenticated-smtp-users-must-reset-passwords

As an added precaution, anyone with an @illinois.edu email address is encouraged to change their password to improve their account's security. Passwords can be changed by using the CITES Password Manager located at: http://passwords.cites.uiuc.edu

Finally, CITES has added extra automated reviews of outgoing email to double check that Illinois email accounts are not being used to send spam. This extra check has helped identify compromised accounts and reduce the amount of spam sent from Illinois email addresses. However, these additional reviews of outgoing email can sometimes delay the delivery of messages. In most, though not all cases, when people have experienced delays, the delays have not exceeded 30 minutes.

Please continue to check the CITES web site for more information about the phishing attacks and the state of our email service. 

We thank you all for your understanding and your continued efforts to help keep our Illinois account information secure.

 

Note: this alert provides information that supplements the massmail sent on Friday, March 29th.

For the last week some email sent from the campus is being rejected by other Universities and private companies. In order to help us address the issue, please review the information provided here.In recent weeks there has been an uptick in malicious email attacks that attempt to trick individuals into logging in to malicious websites, thereby collecting their login and password. Some of these "phishing" attacks were emails that used University of Illinois branding, lending an air of legitimacy to them. CITES provides extensive information about phishing attacks at http://go.illinois.edu/phishing.

Unfortunately, the attacks were able to use advanced phishing techniques to trick a number of users into revealing their University account information (NetID and password). These compromised accounts are now being used to send more spam and phishing messages, which is negatively impacting normal email communications that the campus relies upon to conduct business. Because of the increased volume of spam and phishing messages sent to off-campus email addresses (e.g. gmail.com, hotmail.com) from compromised Illinois.edu addresses, certain spam control services around the world have blacklisted all email messages that originate from Illinois.edu email servers. This means that emails sent from an Illinois.edu address to schools and companies using these spam control services will not reach their intended recipients.

In order to restore the normal delivery of email to outside organizations CITES will be implementing a number of measures that may be visible to you. Please watch the CITES website for announcements as these measures are implemented. Once email delivery has been returned to normal an additional announcement will be placed on the campus website as well. If the measures we implement are completely successful, it may still take 48-72 hours before all email delivery to third-parties is returned to normal.

For time critical communications that are currently being blocked, please consider using an alternate email address as a short-term emergency measure. If you suspect your account has been compromised please contact the CITES Help Desk. There is no need to forward or report phishing emails you do receive; please delete them immediately.

Please be aware that the University of Illinois will never ask you to reply to an email to with your password or to update account information through email.