[Eril-l] American Chemical Society blocked IPs

Rose-Marie Boström rose-marie.bostrom at chalmers.se
Fri Jun 10 01:39:29 PDT 2016


Hello,

At Chalmers University of Technology we have been attacked with the same type of phishing mails. They were designed as they emails Melissa Belvadi describes. We received the mails in the middle of April, and in the beginning of May we were blocked from ACS seven times in a couple of days.
In our logs we could see that the breach was affecting several publishers, but they did not block us.

The IPs were from many countries for example Canada, China, Japan and Russia.

Some other libraries in Sweden were also blocked from ACS several times during the same period, but I don’t know if they received any phishing mails.

Best regards,
Rose-Marie Boström
Bibliotekarie | Librarian

Biblioteket | The Library
Chalmers tekniska högskola | Chalmers University of Technology
412 96 Göteborg | SE-412 96 Gothenburg, Sweden
Tel +46(0)31-772 3706
Fax +46(0)31-183544
www.lib.chalmers.se<http://www.lib.chalmers.se/>
E-mail: rose-marie.bostrom at chalmers.se


From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of Melissa Belvadi
Sent: den 8 juni 2016 19:09
To: Heather Shipman <heather.shipman at cornell.edu>
Cc: eril-l at lists.eril-l.org
Subject: Re: [Eril-l] American Chemical Society blocked IPs

Hello, I'm not sure if this is related to the other reports below, but we just experienced a phishing email virus sent to our users, which specifically refers to "library services" in the subject line and even includes our full name, paper mailing address, and circulation email address in the signature (which appears to be copied right off our homepage footer). The email of course tells the user to click on a link which will then trick them into giving up their campus username/password.  I'm guessing that the intended use of this is to hack the library databases, because of the way the library's identity is targeted in the phishing email.  We definitely know of some patrons who have been tricked already.
So I'm expecting some vendor blocking problems to arise in the next day or two.

Has anyone else gotten attacked with a similar phishing attack that reference the library in particular, lately?

Melissa Belvadi, UPEI

On Wed, Jun 8, 2016 at 12:29 PM, Heather Shipman <heather.shipman at cornell.edu<mailto:heather.shipman at cornell.edu>> wrote:
If you see the same user appearing in the logs over and over again, it might be worth getting IT to check their computer for viruses, too. One of our ACS blocks was associated with a single user whose computer had to be referred to Security/IT; it was downloading the same content over and over, and “not honoring” a block from “Network Quarantine”.


Heather Shipman
E-resources Acquisition Specialist
110 Olin Library, Cornell University
Heather.shipman at cornell.edu<mailto:Heather.shipman at cornell.edu> ; 607-254-1499<tel:607-254-1499>

From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org<mailto:eril-l-bounces at lists.eril-l.org>] On Behalf Of Sally Krash
Sent: Wednesday, June 08, 2016 8:18 AM
To: eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>
Subject: Re: [Eril-l] American Chemical Society blocked IPs

They unblocked us Monday afternoon, after we identified the account associated with the unauthorized use. So, they are working on restoring access to libraries.

Sally Krash
Head of Information Resources Management
W.E.B. Du Bois Library
University of Massachusetts Amherst
413-545-6865<tel:413-545-6865>
krash at library.umass.edu<mailto:krash at library.umass.edu>

From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of Bob Pearson
Sent: Wednesday, 8 June 2016 9:59 a.m.
To: Kathleen Folger <kfolger at umich.edu<mailto:kfolger at umich.edu>>; Egan,Noelle <nme26 at drexel.edu<mailto:nme26 at drexel.edu>>
Cc: eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>
Subject: [FORGED] Re: [Eril-l] [FORGED] Re: American Chemical Society blocked IPs

Yep, into our 3rd day of being blocked. Identified a compromised account and reset the password and notified ACS. They have asked for the IP addresses used, which I will collate and give them, but they have not unblocked us in the meantime.  ☹

Clearly this was a large-scale planned breach. From my first quick look at IPs they seem to be Russian. I’m curious whether others found the same, or is there a wider geographic spread?

Bob Pearson
Digital Access Librarian
Digital Services
The University of Auckland Library
New Zealand

From: Eril-l [mailto:eril-l-bounces at lists.eril-l.org] On Behalf Of Kathleen Folger
Sent: Wednesday, 8 June 2016 8:37 a.m.
To: Egan,Noelle <nme26 at drexel.edu<mailto:nme26 at drexel.edu>>
Cc: eril-l at lists.eril-l.org<mailto:eril-l at lists.eril-l.org>
Subject: [FORGED] Re: [Eril-l] American Chemical Society blocked IPs

Noelle,

Thanks so much for sharing this information. We got a report from ACS of a breach via our proxy server and investigated as we do normally. We identified a compromised user account and reported back to ACS but they have not been responding to our requests to have the block removed.  Now I know why.

-Kathleen

_________________________________________
Kathleen M. Folger, Electronic Resources Officer
University of Michigan Library
312 Hatcher North
Ann Arbor, MI 48109-1190
V:(734) 764-9375<tel:%28734%29%20764-9375>
F:(734) 764-0259<tel:%28734%29%20764-0259>
kfolger at umich.edu<mailto:kfolger at umich.edu>

On Tue, Jun 7, 2016 at 4:19 PM, Egan,Noelle <nme26 at drexel.edu<mailto:nme26 at drexel.edu>> wrote:
Hi All,

Here at Drexel we had a hack of 4 users account on Sunday, and the accounts were used to download massive numbers of articles from ACS.  ACS subsequently blocked our access through our EZProxy IP address.

I just got off the phone with Richard at ACS about this, who let me know that many universities had user accounts hacked in the same way, and this breach was affecting several other publishers as well.   I was surprised I hadn’t seen any traffic about the issue on this listserv – has anyone else been blocked by ACS or another publisher in the last few days for excessive downloading?

FYI – ACS says they are not unblocking any IP addresses until they have the issue resolved, at which time they’ll email all their affected customers about reinstated access.

Thanks, Noelle

-------------------------------------------------------------------
Noelle Egan
eResources & Acquisitions Librarian
Drexel University Libraries
Drexel University
3300 Market Street
W. W. Hagerty Library
Philadelphia, PA 19104
Tel: 215.895.2752<tel:215.895.2752>  |  Fax: 215.895.2070<tel:215.895.2070>
drexel.edu/library<http://www.library.drexel.edu/>


_______________________________________________
Eril-l mailing list
Eril-l at lists.eril-l.org<mailto:Eril-l at lists.eril-l.org>
http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org


_______________________________________________
Eril-l mailing list
Eril-l at lists.eril-l.org<mailto:Eril-l at lists.eril-l.org>
http://lists.eril-l.org/listinfo.cgi/eril-l-eril-l.org



--
Melissa Belvadi
Collections Librarian
University of Prince Edward Island
mbelvadi at upei.ca<mailto:mbelvadi at upei.ca> 902-566-0581


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eril-l.org/pipermail/eril-l-eril-l.org/attachments/20160610/7c7c97ae/attachment-0001.html>


More information about the Eril-l mailing list