Published by the Students of Johns Hopkins since 1896
November 25, 2024

Fraudulent ISIS page compromises JHEDs

By MICHAEL NAKAN | September 28, 2011

A false ISIS log-in page that reached the top of Google search results was detected by Hopkins two Tuesdays ago and was removed last Thursday, according to an e-mail sent to the Hopkins community by Chief Security Officer Darren Lacey and Vice Provost for Information Technology and Chief Information Officer Stephanie Reel.

It remains unclear as to how the page reached the top of Google search, above the real Hopkins ISIS log in.

The illegal page was reported to Hopkins IT by a concerned member of the School of Public Health who realized that he or she had been redirected to the wrong page.

"The IT people did a look through of their network logs and found IP addresses for people who had gone from Hopkins network to the fake site," said Executive Director of Communication and Public Affairs Dennis O'Shea.

"They contacted those people to let them know they had gone to the wrong site."

Hopkins reacted quickly to the information, immediately contacting the Internet service provider (ISP) hosting the page and asking for it to be taken down.

Although Hopkins is prepared for traditional hacking attempts, they were caught off guard by this type of indirect attack.

"We have industry-standard network protection, intrusion prevention and intrusion detection capabilities. We also have log management tools that allow us to quickly assess what has happened and respond, as we did in this case," Lacey wrote in an e-mail to The News-Letter.

"Another thing we are doing now, specifically in response to this attack, is searching the Internet outside our domain for any pages that are built to look like our log-in pages."

The site was brought to Hopkins's attention when it was discovered at the top of Google search results; how long the page had been up before that and who perpetrated the attack remain unknown.

There were roughly 100 visits to the fake site from the Hopkins network – equating to roughly 60-70 unduplicated users, according to Lacey.

Those whose accounts were compromised were informed by Hopkins before the site was taken down.

There has been no illicit activity on these compromised accounts and Hopkins is following up with them to make sure that they change their passwords, according to Lacey.

The university cannot tell how many people accessed the false site outside of the university's network.

There are a few different reasons why internet criminals target university accounts for these kinds of attacks.

"The No. 1 reason for such an attack is to hijack an email account and use it to send spam," Lacey wrote. "The No. 2 reason, especially for attackers from overseas, is to use the credentials to access journals and other academic resources of the university.

"Other possibilities are that the attacker could use the credentials to access ISIS Self Service or courses in BlackBoard. But they wouldn't have administrative access and there would be relatively little that an attacker could do without administrative access. They certainly could not, for instance, change grades."

Hopkins has notified other universities and other security groups about this previously unseen threat.

"We will keep watching," Lacey wrote.


Have a tip or story idea?
Let us know!

News-Letter Magazine
Multimedia
Hoptoberfest 2024
Leisure Interactive Food Map