By Shelby Horton
On March 24, an HCC employee was able to see two email addresses in the fake, “phishing” email that resulted in the huge data breach of 1,327 employee W-2 files.
The “From:” address on the fake email was a clone of Hutchinson Community College’s Groupwise email style — it read “Carter File
The “Reply To:” address on the email read filec@email.com.
This information was supplied to The Hutchinson Collegian by HCC administrators on April 21, after a second Kansas Open Records Act request by the newspaper was delivered to HCC Vice President Julie Blanton on April 18.
At issue was whether or not the fake email looked authentic. In the email, the writer posed as Dr. Carter File, HCC president.
In the days following the data breach, File had firmly declined to answer questions about the looks of the email in regards to the apparent email provider.
Further study of the phishing email has revealed more clues about its origin.
But then again, the clues may be fabricated, as well.
On April 14, the Collegian staff was able to obtain — through an Open Records Act request to HCC administrators — a copy of the fake email, complete with three-fourths of a page of coding. Parts of it had been redacted (blacked out).
Collegian staff member Melinda Dome attempted to analyze the code, using online sources. In short batches, Dome sent 31 lines of code through a popular search engine.
In some cases the code listed addresses to servers that could not be found; other code snippets led to information about the attack on HCC. One line resulted in a failed log-in to Groupwise, the HCC email system; instead, it was routed to a HCC Tech Support window by Sophos, the college’s network security system.
Another line of code led to a Novell Open Enterprise Server, a platform for delivery of shared network services; HCC uses Novell for access to Groupwise.
The autonomous system number (ASN) “16276 OVH SAS” was found amid the code. It is one of the most hacker-abused systems; they are composed of Internet Protocol (IP) addresses, Dome said.
A few years ago, the Internet service provider OVH attempted to repel Canadian hackers that were ravaging its system, but the hackers then proceeded to switch their user addresses from Canada to Europe. OVH servers are cheap and popular. They have a website, OVH.com, which is dedicated to stopping abuse of their system with a team based in France, Dome said.
Code on the HCC phishing email leads to the OVH facility in Roubaix, France, she said.
Lastly, Leaf PHPMailer 2.7 is a site that allows users to build their own emails without using a well-known email service; it lets you control what the receiving person can see.
It will allow a user to create a fake “sender” email address while including the actual “Reply” email address, which can be invisible to the receiving person, Dome said.
This incident continues to plague HCC staff and students, as they deal with the consequences of the event.
An email sent to the Collegian, by a person wanting to remain anonymous, was one of discouragement.
“It is no great solace,” the person wrote, that this incident was more of a case of human error than hacking prowess.
“Furthermore, this incident required multiple organizational failures (by HCC) before the email was even sent,” the writer said.
As the investigation is continued by law enforcement, HCC students and staff affected by this data breach are encouraged to sign up with Kroll Monitoring Service. Call their HCC hotline 1-877-309-0195. They will confirm your identity, then give you a membership number to use.
Views: 93