[Eril-l] American Chemical Society blocked IPs

Wed Jun 8 10:09:23 PDT 2016

Hello, I'm not sure if this is related to the other reports below, but we
just experienced a phishing email virus sent to our users, which
specifically refers to "library services" in the subject line and even
includes our full name, paper mailing address, and circulation email
address in the signature (which appears to be copied right off our homepage
footer). The email of course tells the user to click on a link which will
then trick them into giving up their campus username/password.  I'm
guessing that the intended use of this is to hack the library databases,
because of the way the library's identity is targeted in the phishing
email.  We definitely know of some patrons who have been tricked already.
So I'm expecting some vendor blocking problems to arise in the next day or
two.

Has anyone else gotten attacked with a similar phishing attack that
reference the library in particular, lately?

Melissa Belvadi, UPEI

On Wed, Jun 8, 2016 at 12:29 PM, Heather Shipman <
heather.shipman at cornell.edu> wrote:

> If you see the same user appearing in the logs over and over again, it
> might be worth getting IT to check their computer for viruses, too. One of
> our ACS blocks was associated with a single user whose computer had to be
> referred to Security/IT; it was downloading the same content over and over,
> and “not honoring” a block from “Network Quarantine”.
>
>
>
>
>
> Heather Shipman
>
> E-resources Acquisition Specialist
>
> 110 Olin Library, Cornell University
>
> Heather.shipman at cornell.edu ; 607-254-1499
>
>
>
> *From:* Eril-l [mailto:eril-l-bounces at lists.eril-l.org] *On Behalf Of *Sally
> Krash
> *Sent:* Wednesday, June 08, 2016 8:18 AM
> *To:* eril-l at lists.eril-l.org
> *Subject:* Re: [Eril-l] American Chemical Society blocked IPs
>
>
>
> They unblocked us Monday afternoon, after we identified the account
> associated with the unauthorized use. So, they are working on restoring
> access to libraries.
>
>
>
> Sally Krash
>
> Head of Information Resources Management
>
> W.E.B. Du Bois Library
>
> University of Massachusetts Amherst
>
> 413-545-6865
>
> krash at library.umass.edu
>
>
>
> *From:* Eril-l [mailto:eril-l-bounces at lists.eril-l.org
> <eril-l-bounces at lists.eril-l.org>] *On Behalf Of *Bob Pearson
> *Sent:* Wednesday, 8 June 2016 9:59 a.m.
> *To:* Kathleen Folger <kfolger at umich.edu>; Egan,Noelle <nme26 at drexel.edu>
> *Cc:* eril-l at lists.eril-l.org
> *Subject:* [FORGED] Re: [Eril-l] [FORGED] Re: American Chemical Society
> blocked IPs
>
>
>
> Yep, into our 3rd day of being blocked. Identified a compromised account
> and reset the password and notified ACS. They have asked for the IP
> addresses used, which I will collate and give them, but they have not
> unblocked us in the meantime.  L
>
>
>
> Clearly this was a large-scale planned breach. From my first quick look at
> IPs they seem to be Russian. I’m curious whether others found the same, or
> is there a wider geographic spread?
>
>
>
> Bob Pearson
> Digital Access Librarian
> Digital Services
> The University of Auckland Library
> New Zealand
>
>
>
> *From:* Eril-l [mailto:eril-l-bounces at lists.eril-l.org
> <eril-l-bounces at lists.eril-l.org>] *On Behalf Of *Kathleen Folger
> *Sent:* Wednesday, 8 June 2016 8:37 a.m.
> *To:* Egan,Noelle <nme26 at drexel.edu>
> *Cc:* eril-l at lists.eril-l.org
> *Subject:* [FORGED] Re: [Eril-l] American Chemical Society blocked IPs
>
>
>
> Noelle,
>
>
>
> Thanks so much for sharing this information. We got a report from ACS of a
> breach via our proxy server and investigated as we do normally. We
> identified a compromised user account and reported back to ACS but they
> have not been responding to our requests to have the block removed.  Now I
> know why.
>
>
>
> -Kathleen
>
>
> _________________________________________
> Kathleen M. Folger, Electronic Resources Officer
> University of Michigan Library
> 312 Hatcher North
> Ann Arbor, MI 48109-1190
> V:(734) 764-9375
> F:(734) 764-0259
> kfolger at umich.edu
>
>
>
> On Tue, Jun 7, 2016 at 4:19 PM, Egan,Noelle <nme26 at drexel.edu> wrote:
>
> Hi All,
>
>
>
> Here at Drexel we had a hack of 4 users account on Sunday, and the
> accounts were used to download massive numbers of articles from ACS.  ACS
> subsequently blocked our access through our EZProxy IP address.
>
>
>
> I just got off the phone with Richard at ACS about this, who let me know
> that many universities had user accounts hacked in the same way, and this
> breach was affecting several other publishers as well.   I was surprised I
> hadn’t seen any traffic about the issue on this listserv – has anyone else
> been blocked by ACS or another publisher in the last few days for excessive
> downloading?
>
>
>
> FYI – ACS says they are not unblocking any IP addresses until they have
> the issue resolved, at which time they’ll email all their affected
> customers about reinstated access.
>
>
>
> Thanks, Noelle
>
>
>
> *-------------------------------------------------------------------*
>
>
> *Noelle Egan **eResources & Acquisitions Librarian*
>
> Drexel University Libraries
>
> *Drexel University *3300 Market Street
> W. W. Hagerty Library
> Philadelphia, PA 19104
> Tel: 215.895.2752  |  Fax: 215.895.2070
> drexel.edu/library <http://www.library.drexel.edu/>
>
>
>
>
> _______________________________________________
> Eril-l mailing list
> Eril-l at lists.eril-l.org
> http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org
>
>
>
> _______________________________________________
> Eril-l mailing list
> Eril-l at lists.eril-l.org
> http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org
>
>

-- 
Melissa Belvadi
Collections Librarian
University of Prince Edward Island
mbelvadi at upei.ca 902-566-0581
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20160608/2013c2b8/attachment.html>