Stanford inboxes were inundated with malicious Google Doc invitations Wednesday in a widespread phishing scam that tricked Gmail users into granting third-party access to their Google accounts, including email and contacts.
The 479 Stanford-affiliated accounts identified as compromised by the scam were only vulnerable for a short period of time, as Stanford University IT (UIT) responded promptly to reports of spam and Google largely resolved the issue within an hour of the attack by shutting down unauthorized access to the accounts, according to Michael Duff, assistant vice president and chief information security officer at Stanford.
“We have to credit Google with a remarkably fast response, and likewise, the University IT team was on top of it from the moment we received the first report,” Duff said. “A tremendous amount of activity occurred within that first hour.”
UIT first received reports of the emails at around 11:50 a.m. Wednesday morning, about 20 minutes after the first phishing emails arrived in Stanford’s system. An alert was subsequently posted on the UIT website within 20 minutes of the first reports.
Additionally, Stanford blocked certain domains involved in the scam – a step called “blackholing” commonly used to combat phishing – and began blocking incoming messages associated with the phishing scam sometime between noon and 1 p.m., according to Duff.
Dorm, department and community email lists were immediately active with students and professors blasting out warnings of the attack and reminding one another of the dangers of opening unknown messages.
“Of course that’s not the only type of phishing messages being sent out, so you need to always be on guard when an email asks you to click on a link in the message,” wrote Martin Frost, systems manager of computer science, in an email chain provided to The Daily.
But this scam is unique, according to Duff. Known as both a phishing scam and “worm,” the scam tricks users into divulging their contact information through mimicking the well-known interface of Google Docs. Users must log in and validate access to their account for the scam to work, bypassing even the added security of Stanford’s two-step authentication.
Once the scam has received the user’s account information via a PHP script, it uses their contact list to send more spam links, allowing it to spread rapidly, which ultimately contributed to its quick shutdown.
“The attack was not stealthy, so the adversaries must have known that it would be detected and shut down quickly,” Duff said.
Duff added that while most phishing scams are financially motivated, the reason behind this attack is not yet clear.
Some students were not immediately duped by the link, noting that closer examination of the interface revealed clues as to its malicious intent.
“I received several and I didn’t click them, mostly because there were so many of the same thing and also because [email protected] seemed pretty sketchy,” wrote Cody Stocker ’17 in an email to The Daily, referring to the temporary email address listed as one of the recipients in the scam.
Despite the quick response, several students expressed confusion that information about the attack came primarily through informal channels rather than direct communication from University officials to the student body.
“Aren’t we supposed to have like fuckin’ state-of-the-art computer science nerds fuckin’ everywhere?” said Allegra McComb ’17. “And no one can write an email, you know, to be like, ‘Don’t do this.’ We’re so focused on cybersecurity and have to two-step authenticate to look at our homework but when there’s a literal cyber attack on university email nobody says anything.”
Stanford encourages community members to forward suspected spam and phishing messages to spam ‘at’ stanford.edu. Duff said in a Thursday morning email to various security-related campus lists that the University will contact those with affected accounts individually and work with the Law School to protect its Google domain, which is separate from the main University’s.
Contact Zoe Sayler at zoeneile ‘at’ stanford.edu.
This post has been updated with additional information about the number of accounts affected and actions the University will take in response to the scam, as reported in Duff’s Thursday morning email.