Important information regarding spam & phishing attacks

Please read the following to help protect Jefferson Lab and your own personal information and our information technology systems.

Important Highlights:

•           Just clicking on a link can result in the compromise of your account, computer, or information.

•           Before you click on a link or enter any information into a web site, always verify the location by mousing over the link or reviewing the URL bar in your web browser.

•           Providing your JLab username/password to non-JLab web sites is never acceptable, and can result in account compromise or data loss.

Jefferson Lab email accounts have received multiple phishing emails over the past three days. These phishing emails ranged from claiming to have information from the Helpdesk, to notification of password expiration and the need to reconfirm your laboratory computer account. Although the link supplied in the email messages was clearly not a JLab web site, the text for the link obscured that fact and the web site itself used JLab logos and other identifying features to make it look legitimate.

JLab received about 1000 phishing emails and over 80 JLab computer account holders (also known as users) clicked on the link in the email. Of the 80 users that clicked on the link, at least 11 provided their JLab credentials. This phishing attack had about an 8 percent click-rate and a 1 percent success rate – a fairly high fraction relative to previous phishing attacks at Jefferson Lab.

Fortunately for this particular attack, we were able to determine the names of those who supplied their JLab credentials or who clicked on the link from JLab, as well as those who called the helpdesk to report having clicked on the link. This helped to limit the damage, by allowing the helpdesk to disable or change the passwords for those accounts immediately. If you ever find that you have supplied your JLab credentials to a non-JLab resource, please report this to the helpdesk and change your password immediately.

Phishing attacks like this one can cause significant disruption to an individual or to the laboratory, and could potentially compromise sensitive information. In many cases, recovery from an infected web site can impact lab business, or require helpdesk support, so it is critical that you report if your credentials have been compromised. Please take a moment to consider best practices for web browsing and general protection of your JLab password.

Even just clicking on a link can result in malware being installed on your system or a zero-day vulnerability being exploited, both of which allow a hacker to gain access to your computer and JLab computing resources. Never click on a link you are unfamiliar with. When you receive any type of email with a link in it, the actual link location may not match the text that is shown on the screen. Take a couple of steps to ensure that you know where the link will actually take you. Hover over the link with your mouse before you click on it. Email clients and web browsers will tell you the actual location, usually in the bottom left of the screen. In the Zimbra web client, you will also see this right under your mouse pointer.

In general, only visit web sites that you are familiar with – those that you have visited before or that are well known. If you are using a search engine to find information or following links from other web pages, take a moment before you click on any link to look at the actual URL. If it seems suspicious, it probably is.

When being asked for your username/password, always be sure that the page you are on is a Jefferson Lab resource. Does the domain name in the URL (uniform resource locator) end with "jlab.org"? If not, then it’s not a Jefferson Lab resource – don’t supply your credentials. For reference, the parts of a URL are:  protocol://hostname.domain_name/file_path

For example: http://www.jlab.org/search/index.html (jlab.org is the domain name)

Forward all spam, especially phishing attacks, to spam@jlab.org. This will allow the IT Division to deploy preventative measures, such as web site blocks or email filtering, to help mitigate potential damage.

For more helpful information, visit the Jefferson Lab Computer Center web site at cc.jlab.org and review the phishing/spam resources provided. Call the Helpdesk at ext. 7155 for assistance.