On March 19, MSU Information Technology Center (ITC) sent an email to all MSU faculty, staff and students alerting them that the university had discovered it was targeted in a fraudulent scheme to change employee direct deposit information. The illegally-modified account numbers routed numerous paychecks into unauthorized accounts.
The fraudulent changes were made on Feb. 19 and impacted seven known individuals as of April 1. MSU was not the sole target, several universities — including University of Michigan and the University of Minnesota — were hit by the same attack.
“Based on available evidence and similar incidents at other universities, we believe that an elaborate phishing email allowed unauthorized users to gain access to a limited number of MSU usernames and credentials,” said Chief Information Officer Jerry Sheehan.
After collecting the credentials, criminals were able to access the MyInfo Banner system and modify direct deposit information to route funds to a different account. According to Sheehan, seven MSU Bozeman user accounts were compromised and five of those resulted in pay being deposited in accounts not belonging to the actual user.
The victims were issued new checks that were paid for through the University general fund, explained Sheehan. He added, “We have submitted a request for reimbursement to our cyber-security insurance provided through the State of Montana.” In addition, MSU has extended identity theft monitoring to the impacted users.
Immediately after becoming aware of the attack on March 19, ITC disabled the online direct deposit editing service to prevent another attack. To change direct deposit information, users must now print and complete the direct deposit request form available on MSU’s Human Resources website. The new system includes phone verification for added security. Sheehan affirmed that MSU “does not plan to bring [electronic direct deposit] back online in the foreseeable future.”
ITC also generated a list of every user that made a change to their direct deposit information online in the last month and contacted with those individuals to ensure that they were the ones who initiated the change.
Currently, nothing is known of the attackers or where the attack originated. “The fraud was very technically sophisticated,” Sheehan said. MSU IT Security has been working with local and federal law enforcement to provide data necessary for the investigation. After the case was forwarded to the FBI, the banks that own the accounts used in the scheme were subpoenaed by the Gallatin County District Court for information pertaining to the accounts and their owners.
According to MSU Chief of Police Robert Putzke, the banks have until April 15 to respond to the subpoena with the requested information. To preserve the integrity of the investigation, information regarding the accounts the criminals used — such as location and banks — is not being released.
ITC continues work to reduce cyberattack risk, having just concluded a month of security awareness. Sheehan stressed that “the most important defense against these attempts at unauthorized access is increased user awareness.” In addition, ITC is testing more electronic tools for deployment. The new tools would allow ITC to decrease spam and phishing emails targeting MSU faculty, staff and students.
Sheehan reminds everyone at the University “that MSU will never send you an email with an active link that redirects you to a page to provide your username and password.” Individuals receiving this type of request are encourage to forward the email immediately to firstname.lastname@example.org.