UConn website compromised, prompting users to download malicious program

This screenshot shows the prompt visitors saw when accessing UConn's website (Kyle Constable/The Daily Campus)

The University of Connecticut’s website was compromised Sunday, prompting visitors to download a malicious program posing as Adobe Flash Player, according to a university spokesman.

Technical staff at the university has resolved the issue, but visitors to the website could continue to experience the issue for some time, UConn deputy spokesman Tom Breen said in a statement via email. It is unknown how long the problem will persist, as “the impact wasn’t uniform” on all Internet service providers, according to Breen.

“Final resolution of the issue depends on the timeouts of various caches, from provider servers all the way down to individual computers,” Breen said. “As these continue to refresh, the impact will steadily diminish before ending entirely.”

Breen said the university does not anticipate this to impact the start of winter intersession classes, which begin Monday.

The university website’s DNS records – Internet protocols that associate the URL “uconn.edu” with the website’s server and content – were compromised around 11 a.m., Breen said. The records, which are maintained by the nonprofit organization Educause, were changed to direct users to “a point elsewhere” instead of the content hosted on the server for UConn’s website.

In addition, the university website’s MX records, which link “@uconn.edu” email accounts with the university’s server, were also changed. This initially prevented university officials from updating the DNS records to point back to the UConn server instead of the location of the malicious software, as email verification is required to make changes, Breen said.

Despite being able to restore the DNS records, the problem has continued to persist for some visitors because the changes made were cached, meaning visitors will have to wait until each Internet service provider updates their information again, Breen said. He also said individual computers that visited the website will need their caches refreshed as well, a process that usually happens automatically, but not necessarily on the same timetable.

The university and Educause are jointly investigating the breach, according to Breen.

Visitors who arrived at some pages on the UConn’s website Sunday received a pop-up warning that said, “WARNING: Your Flash Player plugin is outdated! Upgrade to continue!”

Any attempt to close the popup would immediately prompt the user to download a Windows executable (EXE) program file called “adobe_flashplayer_18.exe.”

CORRECTION: An earlier edition of the story reported the attack began Sunday "around 7:15 p.m.". University information technology officials now say it began Sunday around 11 a.m., clarifying an original notice on the UConn IT Status website posted Sunday at 7:15 p.m.that did not initially specify the time of the attack.


Kyle Constable is a senior staff writer for The Daily Campus. He can be reached via email at kyle.constable@uconn.edu. He tweets @KyleConstable.