Summer Recap | Summer SAS e-mail spam attacks likely over

The School of Arts and Sciences has seen a "drastic drop" in the number of student e-mail accounts compromised by a wave of spam messages that targeted Penn students' inboxes this summer, university officials said this week. In late July and early August a round of spam e-mail attacks - known as phishing scams - that mimicked official University messages were sent out to students. Their goal was to obtain private account information and passwords from users. The messages affected users on all "upenn.edu" accounts. From different senders with different subject lines - such as "Help Desk Notice" or "Message from Upenn.Edu" - they asked users to reply with their account numbers, passwords and other personal data in order to upgrade the e-mail system or verify user activities. Most messages warn that users who do not reply will have their accounts closed. Information Systems and Computing vice president Robin Beck said Penn and other legitimate organizations never ask for personal information over the Internet. School of Arts and Sciences vice dean of administration and finance Ramin Sedehi stressed that students should never give out their passwords. "When someone is asking for your personal information, that should send up a red flag," Beck said. Spam occurs in surges at universities nationwide, but this wave was especially sophisticated because it is customized, increasing the likelihood that people will fall for the ploy, Sedehi added. Chris Mustazza, director of student-oriented technology, said the decline in successfully compromised accounts - instances where users disclosed their passwords - was a result of efforts to raise awareness about the attacks. When ISC found out about the attacks, it notified administrators of Penn's e-mail systems so they could warn users. ISC's Web site also features a warning and safety tips. Sedehi said SAS decided against a mass e-mail because users might interpret it as more spam. Instead, "[Warning: Never Send Your Password to Anyone]" appeared in the subject line of any e-mail with "password" in its body. The messages were recently taken down as the number of attacks decreased. College junior Tanvi Rastogi, who received three to six spam messages a day, said she immediately identified them as ploys because of awkward syntax and improper punctuation. Sedehi said the messages are impossible to track because they seem to come from Penn's system. There are no exact numbers on how many users have responded, but "all it takes is one" for the scam to propagate, he said. Once inside an account, spammers can alter content and send messages on the user's behalf - they look more authentic because they use the user's contacts and mimic previously sent content. Phishing is also a precursor to identity theft because it provides detailed information about the user. Beck said Penn's spam filters are not yet advanced enough to catch these types of phishing scams because the forged addresses are interpreted as legitimate. "All we can do is keep getting smarter," he said. "If no one ever gives their password, these scams don't work." - Campus News Editor Rebecca Kaplan contributed to this article.