LSE students and staff have been the target of a mass cyber attack with multiple cases of fake “phishing” emails being sent out to LSE-affiliated email accounts being reported.
Mass emails are being sent with subjects related to students’ previous emails or coursework, containing a green button linking students to fake pages disguised to look like a legitimate LSE login page.
The emails have been mostly sent from infected LSE email addresses (ending with @lse.ac.uk) to avoid raising red flags. Students and staff who were tricked into divulging their LSE account login details reported being locked out from accessing LSE services, such as Moodle and LSE For You. Mass phishing emails were also sent out to their contacts.
One LSE student told The Beaver of his frustration after his LSE account was hacked. “I can’t access Moodle for my coursework, and the phishing emails were sent to my friends in Oxford as well,” he said.
It is unclear at this stage who or where the phishing attack originated from, and the motives behind it. The Beaver has reached out to the LSE for comment.
The LSE Information Management & Technology (IMT) Centre, responsible for IT security, has yet to issue an official notice as of Dec 10. Students and staff have turned to social media in the meantime to voice their concerns and warnings about the attacks.
One tutor advised students via email to seek alternative ways to submit their work online if they were affected by the attack. “If you know someone in class who has been affected by this problem and has been locked out of their LSE account… please tell them to get in touch with [the government department] to ask for instructions on how to submit the essay,” the email stated.
The Beaver understands that University College London (UCL) emails were also affected by a mass phishing attack in October, although it is unclear if the attacks are related. UCL advised students in a notice then (Oct 19) that emails with the subject “Refund for UCL students” have been circulated with the intention of gaining students’ bank details.
Student emails have also become a popular target for hackers.
HM Revenue and Customs, the UK’s tax authority, said in November this year that there has been an increase in the number of fake tax refund emails being sent to university students, attempting to to steal their banking and personal details.
Phishing is a common tactic used by criminals online to trick users into revealing their personal information, upon receiving emails and websites that are disguised to look legitimate. More sophisticated attacks are increasingly using hijacked email accounts to send malicious content as part of or in response to existing email threads.
LSE students and staff are advised to change their passwords to a secure combination to avoid falling prey to further hacking attempts.
Additional reporting by Ross Lloyd
[Students and staff are advised to report suspicious emails to the IMT Centre at firstname.lastname@example.org. Students and staff with concerns about their accounts’ safety are also advised to call the IMT Help Desk at 0207 107 5000 (Extension -5000 outside office hours) or email email@example.com.]