Thousands of Oxford University email addresses have been targeted by spam emails, with OxCERT (University of Oxford Network Security Team) having dealt with more than a dozen compromised Nexus accounts over the past week.
On Tuesday 22nd January, OxCERT announced, “The University was hit by an unusually large batch of phishing emails, which went to several thousand users. These were sent from a greenville.k12.sc.us address, had a subject of ‘Emergency Clean-up Needed’, and directed users to a phishing page on Google Docs.”
On Wednesday 23rd, the team said they “were dealing with no fewer than four compromises of Nexus accounts, from which spam emails were sent” but hoped the “combination of the sender rate-limiting and prompt action from multiple teams within IT Services” would allow legitimate emails to be sent to external sources. More accounts have been hacked since.
The University Computing Services alerted colleges to the issue and told students to be vigilant, fearing that more accounts will be affected.
An email to staff and students from the LMH ICT Technical Services Officer reported, “[The emails] have a sender address of Maggie.Mon[email protected] and a greeting along the lines of ‘DEAR University of Oxford EMAIL OWNER’, and directs users to a docs.google.com URL.”
Merton IT manager Steve Bowdery confirmed, “We have had a handful of users who have responded – their email accounts were abused to send a significant volume of spam.”
Thomas Yeomans, the Assistant IT Manager at Hertford College, warned students, “You may from time to time be contacted by the University, but they will NEVER request your username and password information. If you are unsure about a message the best course of action is no action. You can always contact the IT department for further help.”
The IT Manager for Oriel and Corpus Christi colleges forwarded a copy of the phishing email to students and gave tips for spotting spam emails. He noted that “many fake emails begin with a general greeting”, are sent from “an address that is obviously from someone not associated with the organisation/system” and may include “a threat that something bad will happen if you don’t act immediately.”
Keble IT manager Steve Kersley advised students to be vigilant as even if a Nexus account does not contain personal details, “contact details and personal information about you and your friends could be gathered and used for more personalised scams.” He emphasised that if the hacked email address is linked to other internet accounts with a ‘forgotten password’ feature, such as Facebook, eBay and Paypal, then scammers may also be able to gain access to those.
Kersely further advised students to ensure that junk mail features are configured correctly, computer software is regularly updated and an up-to-date antivirus software installed.
Last weekend, many students and members of staff received emails from Lashzone, a Canadian company offering to write essays for a fee. IT services confirmed that over 58,000 university email addresses were targeted.
A spokesperson commented, “Many University addresses are public and/or have been harvested by spammers from a wide range of sources, but by no means all. IT Services is investigating how the spammers in this case may have obtained the addresses but may never know for sure.”
Successful spam attacks on this scale are rare on Oxford email accounts. A spokesperson for IT services explained, “This was just one of hundreds of spam runs that hit the University each day. While extensive anti-spam defences are in place, spammers are constantly adapting their tactics to evade our countermeasures. IT Services have to balance the risks of spam attacks against the risks of disruption to legitimate email traffic. Unfortunately this means that it is inevitable that some spam will get through the defences.” Regarding the most recent round of spam emails from Lashzone, the spokesperson said that he was “satisfied that reasonable technical countermeasures are in place, but these are continually reviewed in view of evolving threats.”
Lashzone describes itself as “a team of Graduate and PhD students that major in different programs” and claims to be “trying to make this painful path of brain torture a bit easier, a path that will get these poor students nowhere but to make them the future slaves of society.”
The company offers an individualised service where assignments are written by their employees in exchange for cash. In response to an inquiry on behalf of Cherwell, Lashzone offered a quote of 130 Canadian dollars (£82) for a 2000-word Politics essay.
The company attempted to recruit students to work for them, stating, “We want to localise Lashzone in every campus possible. Let’s call it franchising, but not in the usual way. We want every campus to have its own little (secret) Lashzone group that has its own writers, advertisers and customer service team.”
Cherwell contacted Lashzone for more information on this franchise scheme, but the company was unwilling to provide details, explaining, “Participants help spread the word throughout different campuses around the world, creating a web of connections between students. Their reward is protected by employee privacy policy.”
The company claimed that it has “helped more than 600 students in UK and over 7000 students worldwide” but when questioned about the legitimacy of their service, Lashzone responded, “If your question is whether we provide worthless work and expect money then no we do not do that and we would not be growing this strong across three continents if we did. And helping/tutoring students with assignments has been around since the beginning of civilisation, we do not see anything ‘illegal’ about it. Therefore the onus is on you to prove to us whether we are committing a crime or not.”