Recently, three Smithsonian email accounts were compromised. An outside organization or individual learned the account names and passwords for those accounts and then used those accounts to send spam. Lots of it. As a result, many organizations and businesses temporarily stopped accepting email from the Smithsonian. This is a common practice that prevents an email system from being overwhelmed by automated emails coming from a single source, like si.edu. Emails to some outside organizations are being returned. It may take until the end of the week before all organizations will accept email from us again.
The lesson from this is that a computer security lapse from a few individual users can have a significant impact on SI-wide operations. While only three Smithsonian email accounts were compromised in this attack, possibly hundreds of staff were affected by the results.
The Office of the Chief Information Officer is monitoring email traffic volume in an effort to prevent this from happening again.
No matter how good the monitoring or how quickly OCIO acts to stop spam, the best way to avoid this problem is prevention. This means all of us have to follow good IT security practices. Even though you may already be familiar with these precautions, please take a few moments to review them.
What to Look For
- Fake communications from online financial institutions, auction services, or ISPs – These emails claim there is a “problem” with your account and request that you access a (bogus) web page to provide personal and account information.
- Fake communications from an IT Department – These emails will attempt to ferret-out passwords and other information phishers can use to penetrate your organization’s networks and computers. We recently had one of these sent to an Smithsonian employee, claiming to be from the ”IT Staff”.
- Offers for deals on products and services that require you to enter your email address or personal information. While many of these may be legitimate, many are not. Spammers harvest legitimate email address this way as well as personally identifying information.
What You Can Do to Avoid Becoming a Victim
- Don’t deliver or open email messages you see in your Quarantine Summary email unless you are expecting email from that source, and that the source itself is not malicious.
- Don’t trust unsolicited email. Be suspicious of email messages from individuals asking about personal, employee or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify the identity directly with the company.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
- Don’t send sensitive information over the Internet before checking a web site’s security.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). You can hover (hold) your mouse over a link and the actual address or URL will appear. It may not be the same as what is expected. Just don’t click while you are hovering.
- Don’t click on unsolicited web links received in email messages.
- Treat email attachments with caution.
- Use common sense. When email arrives promising you big money for little effort, accusing you of violating the Patriot Act, or inviting you to join a plot to grab unclaimed funds involving persons you don’t know – think twice!
What do you do if you receive a phishing Spam
- Delete the message!
- If you wish to report the Spam, forward the message to SpamAdmin@si.edu for review.
- For further information on Spam please refer to the Spam FAQ.
- If you believe you might have revealed sensitive information please contact the OCIO Help Desk at 202-633-4000 or by email at OCIOHelpDesk@SI.EDU.
Posted: 16 August 2012