On May 3, there was a large scale phishing attack that broadly targeted Google accounts. It was a novel style of cyber attack where victims were tricked into granting programmatic access to their Google email and contacts.
“This incident reminds us that phishing is the single greatest cybersecurity and privacy threat we face today,” said the university’s chief information security officer, Michael Duff.
All told, approximately 650 Stanford Google accounts were compromised during the attack. Fortunately, the incident was fully contained within two hours, and there is no indication that any emails were divulged. Those whose accounts were affected have been individually notified and provided with additional information.
The attack began around 11:30 a.m., and University IT (UIT) received the first reports at approximately 11:50 a.m. UIT responded rapidly, coordinating between the email team, Google, and Proofpoint (Stanford’s email security solution) to block further email deliveries and to block unauthorized access to the Google accounts. Users may still find copies of the phishing message in their inboxes, but these no longer pose a threat. Example message:
To learn more about this cybersecurity event, see https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-attack-share-this-document-with-you-spam.
Duff provided two key suggestions for members of the campus community:
- Be wary of unsolicited or unexpected emails, even if they appear to be from someone you know or pertain to a subject in which you are involved.
- Be particularly suspicious if you are prompted to log into your account and/or grant access. If you are unsure about an email, call the purported sender to confirm its authenticity before clicking any links or opening any attachments.
More information is available on the University IT website, including samples of phishing emails to help members of the campus community identify them. Suspected phishing messages can be reported to the Information Security Office by forwarding them to firstname.lastname@example.org.
In addition, the Information Security Office now offers an awareness program for campus departments that wish to train their staff on spotting and evading phishing. The Phishing Awareness Service will send simulated phishing emails to departments that opt into the training, allowing recipients to become familiar with the tactics used in actual phishing attacks.