At first, the email appeared to be a reply to previous emails — opening the email revealed a blue box with instructions to “display trusted message.”
However, unsuspecting Cornellians who opened the email quickly found out that the email was not what it seemed.
In fact, the email was part of a University-wide phishing scheme that spread over a single weekend, affecting Cornell staff, faculty and students alike.
For some users, clicking on the link once was enough to compromise their account. For others, a fake login website appeared after opening the link, asking users to input their NetID and password.
Once opened, the phishing program then mass-emailed contacts that the compromised account had previously communicated with. The subject line changed with each message, cleverly disguised as a response to a previous email received by the user.
Yoorie Chang ’20 was one of the many students deceived by the email. Chang had received the initial email Sunday morning, but her account only began sending out the malicious emails that afternoon. Shortly afterwards, friends and professors who received emails from Chang’s account reached out to her in confusion.
“I was incredibly embarrassed. I had no idea what was going on,” Chang told The Sun. “My defenses were down. I didn’t even suspect it was a scam email.”
When Chang first saw the email, she assumed the request for her NetID and password was a security measure implemented by Cornell.
Sarah Kimball ’21 was suspicious of the fake email, but did not realize that simply clicking the link could allow the program to hack her account. Kimball first received these compromised emails Saturday, but only realized her account was hacked when she received automated out-of-office responses from some of the people the program emailed.
“I kept waiting throughout Saturday and Sunday to receive an email from Cornell IT, just regarding the hacking and warning us not to click on any emails,” Kimball told The Sun.
On Monday, Cornell Information Technologies posted a short warning on its “phish bowl” website page, attaching a screenshot of an example email. However, Cornell IT has not reached out to Cornellians about the hack.
In an email to students Monday afternoon about the scam emails, Joel Malina, vice president for university relations, asked Cornell students, staff and faculty to “delete the message and don’t click the link.” He also encouraged people to use two-step login to provide additional security beyond the baseline measures.
Cornell currently requires two-step login security measures to access some Cornell platforms, such as Student Central, Faculty Central and Workday, according to Sean Mongan, IT service desk consultant. The program does not, however, cover email accounts, Google Drive, Canvas or Blackboard.
Cornell IT attempts to block fake emails when detected, according to Malina. But because of the speed that emails are sent, people may receive the phishing emails before they’re caught.
After examining some of the fake emails, Mongan noticed that many of the malicious links no longer worked. One of the links led to a Cornell page that told users initial link was malicious; another link failed to load. Since the links change from email to email, it can be hard for Cornell IT Security to successfully cut the links, according to Mongan.
“We’ve had these before. There’s no point in sending out a mass email because then people think that’s spam too,” Mongan told The Sun. “You can’t win.”
Cornell IT Security, an office — which is independent of the IT service desk — that directly handles digital security issues, refused The Sun’s several requests for comment. The University also did not respond to requests for more information besides what was said in Malina’s statement.
Malicious emails do not appear in the sent box of compromised accounts, so hacked users are unable to track the number of fake emails sent using their name and address.
The hack wasn’t limited to just Cornell accounts: Kimball’s account, for instance, sent fake emails to internships she had applied to.
At the same time, students also aren’t the only ones falling for these emails. Some staff and faculty also had their accounts compromised, among which were Judicial Administrator Michelle Horvath and Prof. Shivaun Archer, engineering.
Students whose accounts were compromised were told by Cornell IT to reset their NetID passwords and security questions. When Kimball contacted Cornell IT, they recorded her name and NetID, instructed her to change her password and didn’t provide any further information about the hack.
“At least it was an easy fix and hopefully the end of it,” Kimball said.