Extortion Scam Targeting ISU Email Accounts

An email-based extortion scam claiming possession of explicit personal information is circulating around Iowa State, and University account holders are encouraged to strengthen their security measures to prevent being targeted.

The emails began arriving in University inboxes earlier this semester, and claim recipients’ accounts and machines were hacked, and images and videos of users visiting pornographic websites were recorded using the device cameras. The emails threaten to send the images and videos to the University account holders’ contact lists unless a specified amount of money is provided in the form of bitcoin, an electronic currency. 

With the assistance of specialized mailing software and online spoofing services used to forge email addresses, the messages appear to originate from the message recipients’ own accounts, giving the impression they were hacked. The emails also include account holders’ passwords, old or current, which were obtained through a data breach not associated with Iowa State.

The extortion emails are not limited to University accounts, and users should be wary of similar attacks targeting their personal email accounts as well. 

“This type of email scam has been around for quite a while,” said Information Technology Services (ITS) Security Analyst Andy Almquist. “However, the inclusion of a password previously associated with the recipient’s email address unfortunately makes the threat more believable.”

While the emails have been circulating around campus since the start of the semester, ITS Security staff observed a spike in the number received this week, with dozens already reported and an estimated several hundred more unreported. The increase is likely due to scammers using an Amazon Web Services server to send out a portion of the fraudulent messages, in addition to spoofing the email address of recipients. 

“This type of attack typically comes in waves,” Almquist said. “Over the last week the scammers formatted their emails to appear to come from Amazon, which is a trusted source. There was definitely an uptick in reports from University account holders.”

Recipients of the emails should not respond or make any payments. Instead, report the message and any other suspicious activity to the ITS Security team at itsecurity@iastate.edu. It is unknown where the extortion emails originated, but ITS is evaluating how to reduce the chances of similar attacks reaching campus in the future.

One of the best ways to protect account and personal information is to enable multifactor authentication (MFA). MFA protects confidential information by adding an additional factor to the account login process in addition to a username and password. All Iowa State employees and students are encouraged to enroll in MFA by logging into their Okta dashboard at login.iastate.edu and selecting the “Enable Multifactor Authentication” button.

“Multifactor authentication is one of the best lines of defense against an account being hacked, as only you have access to the additional factor,” said Mike Lohrbach, Director of Enterprise Services and Customer Success for IT Services.