Penn has been a target of a recent round of spam e-mail attacks - known as phishing scams - that are mimicking official University messages to obtain private account information and passwords from users.
Spam occurs in surges at universities nationwide, but this wave is especially sophisticated because it is customized, increasing the likelihood that people will fall for the ploy, School of Arts and Sciences vice dean of administration and finance Ramin Sedehi said.
The messages started to hit Penn's radar at the end of July, affecting users on all "upenn.edu" accounts. From different senders with different subject lines - such as "Help Desk Notice" or "Message from Upenn.Edu" - they ask users to reply with their account numbers, passwords and other personal data in order to upgrade the e-mail system or verify user activities. Most messages warn that users who do not reply will have their accounts closed.
Information systems and computing vice president Robin Beck said Penn and other legitimate organizations never ask for personal information over the Internet.
"When someone is asking for your personal information, that should send up a red flag," Beck said.
College junior Tanvi Rastogi, who receives three to six spam messages a day, said she immediately identified them as ploys because of awkward syntax and improper punctuation.
Sedehi said most Penn users are smart about Internet safety, but because these messages look relatively legitimate, a "few" have unwittingly divulged personal information.
He said the messages are impossible to track because they seem to come from Penn's system. There are no exact numbers on how many users have responded, but "all it takes is one" for the scam to propagate, he said.
Once inside an account, spammers can alter content and send messages on the user's behalf, which look more authentic because they use the user's contacts and mimic previously sent content. Phishing is also a precursor to identity theft because it provides detailed information about the user.
However, Sedhei said, "We have not heard of anyone who has been compromised in any way" in this wave of attacks.
Beck said Penn's spam filters are not yet advanced enough to catch these types of phishing scams because the forged addresses are interpreted as legitimate.
When ISC found out about the attacks, it notified administrators of Penn's e-mail systems so they could warn users. ISC's Web site also features a warning and safety tips.
Sedehi said SAS decided against a mass e-mail because users might interpret it as more spam. Instead, "[Warning: Never Send Your Password to Anyone]" appears Proxy-Connection: keep-alive Cache-Control: max-age=0
the subject line of any e-mail with "password" in its body.
The message will be taken down when the attacks subside, he said. Once spammers confront Penn's barriers and people stop responding, they will move on.
"It's like putting a club on your car," Sedehi said. "At some point, they'll go to another parking lot."
Beck said the messages are trickling off after last week's "big burst," and Sedehi said no more account information has been shared since last week.
"All we can do is keep getting smarter," he said. "If no one ever gives their password, these scams don't work."
The Daily Pennsylvanian is an independent, student-run newspaper. Please consider making a donation to support the coverage that shapes the University. Your generosity ensures a future of strong journalism at Penn.
DonatePlease note All comments are eligible for publication in The Daily Pennsylvanian.