February 9, 2016

Hackers try to gain access to CSU employees’ login info

Hundreds of Cleveland State University employees received an email on Jan. 13 from CSU System News regarding hackers trying to gain access to email and login information.

CSU System News is a classification list that includes the official email addresses of every University employee, including student employees.

Although the email indicated hackers targeted the University to try to obtain confidential information, Michael Holstein, manager of data and network security in Information Services and Technology (IS&T) at Cleveland State, calls this a “phishing” campaign.

“In a phishing attempt, an attacker attempts to convince a user to provide their credentials, typically by enticing the user to visit a forgery of a site the user is familiar with,” Holstein said in an email interview Jan. 25. “We [IS&T] do send out notices to the campus when a particular phishing attempt is particularly clever or good, but we try to strike the balance against information-overload with constant warnings.”

The email was sent to 276 unique addresses, all of which were faculty and staff at Cleveland State.

According to Holstein, attackers frequently target faculty and staff because their email addresses are public, and can be garnered on many of the University Web pages or electronic phone books.

In a sample email included in the System News email, the hackers titled the subject “Your Paperless W2,” and said the account holders must login to an employee self-service site to obtain their W-2.

Because it is tax return season, Holstein explained it was not surprising the phishing email’s subject regard W-2’s.

“The more believable the phishing email is, the more effective it will be for the attacker,” he said. “This includes using the target organization’s logo, symbols and terms, and matching their legitimate business process as much as possible.”

In the recent W-2 and 1098-T phishing attempt, a user in the HR department at Cleveland State forwarded the email to “security@csuohio.edu” because the individual found it very suspicious.

The email generated from System News also added, “[The hackers] are very convincing.” The timing was also convincing, because it was sent at a time employees would be expecting to receive their tax documents from the university.

Holstein explained that phishing emails frequently have a number of grammatical errors and other mistakes that make them readily apparent as a scam. However, this email was well written and contained terms similar to those used by Cleveland State personnel who do send out factual emails.

The IS&T department at Cleveland State does a number of things that help protect student, faculty and staff account security, such as protecting identification. But the downside to this is if a user is convinced to provide their username and password to an attacker, the IS&T department’s protection of information can become ineffective.

“While there are some technical measures which can help, users themselves are one of the most important part of system security, and we address this ‘human’ factor through training and education efforts,” Holstein said. “[IS&T] try to make security as invisible as possible, and strike the right balance with usability — security is a shared responsibility so Cleveland State employees have additional obligations both ethically and legally to safeguard student and University data.”


CSU College of Business has top Ohio online MBA program

CSU ID cards required at libraries after 8 p.m.

Hackers try to gain access to CSU employees' login info

University adopts Freedom of Expression policy

University updates mobile app to increase safety on campus

Board of Trustees convenes for first meeting of spring

'Startup Vikes' gives opportunity to entrepreneurs




Stater reporters share their videos and photographs. Visit the Image Gallery. SEE More ...



twitter link
facebook link
About Us Advertise