Need to change your password? Click here for directions!
6:48AM: A student account was compromised and began sending out emails with the subject line "Documentations via Google". This email contained a link that looked sufficiently legitimate to trick people into entering in their CalArts email addresses and passwords. When email credentials were supplied the attacker began sending out the same message again from the new account.
8:31AM: A second account began sending out this message and inadvertently opened an IT ticket. We immediately began investigating and notifying the community through Twitter.
10:30AM: CalArts IT adjusted internal DNS rules to capture that URL and redirect it to this article. This will only affect people on campus who attempt to go to the offending URL.
What To Look For
The offending message will come from a known account, someone who you've exchanged emails with previously. The attacker is using that implicit trust to trick people to clicking the included link.
When the email message is opened Google helpfully tags it with a large red warning banner.
With a community such as ours sometimes these banners are inadvertently tagged on benign messages as they may come from international sources or individuals that speak English as a second language. Oftentimes improper grammar or spelling can trigger notices such as this.
If the link contained within the page is clicked on it would bring you to the following page:
Google will only allow email logins through their standard login page. Mockups such as this look sufficiently legitimate to those who aren't aware and can easily trick people into divulging their username and password. When the Gmail option is selected the following "login" window is presented:
So far it appears as though credentials that are supplied are only used to propagate the email message. These logins are valuable to sell to spammers and may result in very bad things in the future. The good news is we don't see this affecting any computers, just the email accounts.