Over the last two months OxCERT have been inundated with compromised University accounts being used to send spam. So how are so many accounts being abused, what are the risks, and what is the cost to the University?
Let’s deal with the how first. It appears that the vast majority of the accounts we see abused for spamming purposes, are compromised due to users replying to phishing emails or filling in phishing forms. What is rather depressing is the fact that in about 99% of these cases, the attackers have gone to little effort to masquerade as genuine University services. Sadly it seems that users are more than willing to enter their credentials into any old random web form, or reply to any email that asks them for their password. The other prime suspects are key-logging malware such as Zeus or, perhaps, compromised websites where University members have used the same password and email address to register for some third party service. It certainly seems pretty plausible that users who enter the Oxford SSO password via some Internet cafe, hotel room or other untrusted device around the globe, may fall victim to having their account accessed by the bad guys.
What about the risks associated with phishing? For the University as a whole, compromised accounts – at best – don’t look good and spam runs could have an adverse effect on the reputation of the University. However, more importantly, they could lead to University mail servers being blacklisted which would have a knock-on effect to all other users of the service. In fact, University users were unable to email users of a major service provider for several days as a result of one recent incident. Additionally, for the users in question, they can (and do) have their important emails read and deleted, they can be inundated with bounces and replies (causing a denial of service) and, of course, they will have their account disabled until the incident has been dealt with. This can sometimes be a considerable period of time, particularly if users are in the far corners of the globe.
Perhaps the most immediate impact to the University however, is the cost associated with dealing with phish. Last year, following a spamming incident OxCERT calculated that the time spent dealing with spammers in OUCS amounted to approximately 24 hours per incident. That is, at least, 3 working days of one person and doesn’t take into account costs incurred by local IT support staff (ITSS), costs to the user, or other potential costs which are harder to put a figure on. Placing a monetary value on staff time is difficult, especially if the staff are being employed anyway – there is no direct additional cost to the University. However, working on the basis of a mid-point, grade 7 employee that probably works out in the region of around £360 per phish. Not much then? But given that OxCERT have dealt with around 20 spammers in last 2 months that is approximately £3600 a month. Admittedly that is more spammers than we’ve dealt with than the entire previous 10 months put together, but that may be because we have started looking more closely recently. Either way, if this trend continues that is about £43,000 per year. That’s easily one full time employee dealing purely with Oxford accounts being used for spam. It’s perhaps also worth bearing in mind that these costs (while only a very rough estimate) don’t take overheads into consideration, or (as mentioned) the time of local ITSS. Neither do they take into consideration incidents where compromised accounts are used to access journals or databases worth thousands, and sometimes tens of thousands, of pounds.
If you were looking at this from the point of view of risk, where Risk = Asset Value/Cost * Vulnerability * Threat then it would certainly seem something worth trying to mitigate. Given the costs involved, the vulnerability of users to hand out their SSO credentials and the fact that we get phishing attempts reported to us every week, it seems like a high risk to the University. But what can be done? OxCERT, of course, already take mitigating action where possible. We can block links to certain phishing forms, prevent e-mail from getting to certain email addresses etc. But that only works when users are on the University network. There are also some forms which are more difficult to block ( I don’t think we’d be too popular if we sink-holed spreadsheets.google.com for example) and service providers can sometimes be slow in taking down phishing sites. We do have detective and reactive controls in place in order to spot spammers quickly and significantly lessen the impact on the University, and we blocked in the region of 700 machines, which were infected with key-logging malware, over the last 12 months. Whilst I’m sure not all of these would have been used to send spam, I have no doubt that some of them would.
Yet despite all of these measures, this is a problem which is still costing the University time and money. Surely the real question has to be how we can prevent this from happening in the first place and how we can get users to question the legitimacy of emails they receive and sites they visit. These are not new questions and are not easy to answer. I know the vast majority of ITSS do their bit to educate users but is there more we can do? I don’t have all of the answers, but would love to hear the thoughts and views of Oxford ITSS on this issue. Can more be done to educate our users and make them aware of the impact of their actions – both on themselves and on the University as a whole?