Visitors arriving at the University of Connecticut’s website Sunday found themselves prompted to download malware after the records linking the web address to the website’s content were compromised just one day before the start of winter intersession classes.
UConn officials chose not to directly notify students, faculty and staff on Sunday about the malware threat that remained on the site for approximately five hours between 11 a.m. and 4 p.m. Sunday, university deputy spokesman Tom Breen said in an email Monday.
Breen said the university did not want to “overlook or misinterpret a vital piece of information about the incident,” which led them not to share the information publicly.
“We have to proceed with care and diligence,” Breen said in an email Monday morning. “Once we have a clear picture of what happened, we'll be able to share what we know.”
Some visitors to the website continued to be directed to the malware more than 12 hours after the problem was resolved. Breen said Sunday night the problem has the potential to persist for some time – up to 24 hours.
Visitors still seeing the malware on UConn’s website will have to wait until their Internet service providers update their records again, Breen said. He also said individual computers that visited the website might need their caches refreshed as well – a process that usually happens automatically, but not necessarily on a uniform timetable.
“Final resolution of the issue depends on the timeouts of various caches, from provider servers all the way down to individual computers,” Breen said. “As these continue to refresh, the impact will steadily diminish before ending entirely.”
Despite the deceptive prompt and malicious software affecting some website visitors on the first day of the winter intersession, university officials did not send an email to students, faculty and staff warning them about the threat on Sunday. Officials also did not use the Rave Alert text message system or the university’s official social media accounts to publicize the threat.
However, the UConn Foundation’s Twitter account sent out a tweet Sunday just after 11 p.m. warning its followers: “Please do not visit the Foundation site or any UConn dot edu site until a domain-wide issue has been resolved.”
Breen said it is standard procedure for the university to prioritize resolving the problem over publicizing the danger.
“In incidents like this, UConn has two main priorities: first, to resolve the issue and return university IT operations to normal. Second, to determine exactly what happened, and how it occurred, so we can be better protected in the future,” Breen said. “To accomplish our first priority, we have to respond with speed and urgency.”
UConn’s information security office released a statement Monday shortly after 10 a.m., acknowledging it was “the victim of an attack.” While the university included the statement in the daily digest email to faculty and staff on Monday, the information was not sent to students.
Jason Pufahl, UConn’s chief information security officer, advised anyone who downloaded the software to delete it immediately, access a computer without the malware and change passwords associated with any NetID and online banking accounts.
“The malware appears to be intended to compromise credentials, potentially specifically banking information,” Pufahl said in the information security office’s statement Monday.
Pufahl said the attack changed the DNS records – which point the “uconn.edu” web address to the server storing the website files – and instead directed them to a non-university server. The attack “effectively resulted in all university IT services … being unavailable” on Sunday, according to Pufahl.
Waiting on the other server for unsuspecting visitors was a pop-up that claimed to be an update to the visitor’s Adobe Flash Player:
“WARNING: Your Flash Player plugin is outdated! Upgrade to continue!”
Any attempt to close the pop-up would immediately prompt the user to download a Windows executable (EXE) program file called “adobe_flashplayer_18.exe.”
Instead of updating the popular Adobe product, users found they had downloaded malware. Most Mac OS users would not be affected, but users with the Windows operating system would be vulnerable if they opened the file after downloading it.
To complicate matters further, the website's MX records, which point “@uconn.edu” email addresses to the university's server, were also modified. This initially prevented university officials from updating the DNS records to point back to the UConn server instead of the location of the malware, as email verification is required to make changes, Breen said.
Both the DNS and MX records are managed by Educause, a nonprofit that assists colleges and universities with information technology issues. The records were changed after an account with administrative access to this information was compromised, according to Breen.
“Working with Educause, we were able to recover the email and then the DNS records,” Breen said Sunday night. “The DNS records were cached, which is why some people were still having trouble accessing the homepage after the recovery.”
UConn is leading the investigation of the incident “with cooperation from Educause,” Breen said Monday morning.
Breen said the university could not comment on who might be responsible for the breach or where the server hosting the malware might have been based.