This past summer, the UMBC Security Student Team made a significant discovery regarding compromised accounts, predominantly affecting alumni. In a series of alarming events, fraudulent Google forms were sent to users, threatening account deactivation unless they provided their usernames and passwords.
What Happened?
Initial investigations began when the student security team looked into a compromised account that had been disseminating phishing emails. They unearthed a troubling pattern during their probe: numerous password reset emails were shared across multiple accounts. This revelation led to the identification of many login failures from specific IP addresses, raising concerns that unauthorized individuals had access to these accounts.
Left to right: Ben Guest, William Brooks, Ouwen Dai, and Anna Plass
Investigative Steps
To contain the security event, the team collaborated with the Division of Information Technology’s full-time Security staff. Their first course of action was to lock and scramble the compromised accounts. Additionally, they proactively contacted affected users, urging them to create new passwords.
The security team also implemented a more structured approach to tracking the issue. They developed a shared spreadsheet to monitor affected users and created two Splunk dashboards to analyze abnormal user behavior and investigate suspicious IP traffic.
Key Learnings
Through this challenging experience, the student team realized the immense value of utilizing advanced tools and dashboards for efficient data retrieval and quicker identification of hacking attempts. Notably, the team credited DUO, a multifactor authentication (MFA) tool, with preventing many accounts from being compromised, highlighting the significance of robust security measures.
This ordeal also underscored the importance of up-to-date documentation and reporting, ultimately enhancing their understanding of UMBC’s authentication process.
Looking Ahead
With these steps, the UMBC Security Student Team is committed to safeguarding users from future hacking attempts, demonstrating the vital role of vigilance and innovation in cybersecurity.
If you have any questions about whether or not the mail you've gotten is legitimate, please contact the DoIT Security Department at security@umbc.edu.
For more information about UMBC’s cybersecurity initiatives, go to doit.umbc.edu/security.