The College’s digital security was tested Wednesday morning as hackers sought to gain control of Bowdoin email accounts in one of the more sophisticated attacks seen to date.

In an email to students and faculty, Chief Information Officer Mitch Davis announced that while the attack had briefly succeeded in gaining control of a limited number of accounts on campus, the breach had since been contained.

According to Director of Systems and Enterprise Architecture Adam Lord, Bowdoin’s email inboxes are usually protected by “a system in place that catches the majority of messages that are malicious.” 

This attack circumvented those barriers by first compromising the email account of a Bowdoin student then using that account to mail over 70,000 other addresses on and off campus. Lord said that because the mail originated from an account within the Bowdoin network, the security systems in Information Technology (IT) subjected the emails to less scrutiny than if they had come directly from hackers.

It is still unclear what led to the compromise of the initial account, but both Lord and Davis suspect a weak password was to blame.

The email contained a message supposedly from the IT Help Desk notifying students that their email accounts would soon expire. Linked in the email was a web page that displayed an exact replica of the login screen for Bowdoin’s web mail system, which would send any passwords entered into it back to the hackers. 

Numbers of this kind of trap, targeted social engineering attacks known as “spear phishing,” have risen sharply over recent years, according to computer security firm Kaspersky.

Calling the attack “well thought-out” and “smart,” Davis noted that the College was likely not the hackers’ end target. Rather, Davis noted that the College is a “worthwhile target” because of its digital resources, including large internet bandwidth and high-capacity email servers. Had hackers gained control of these resources, Lord says, they could have used Bowdoin to send massive volumes of spam, generating money for themselves while damaging Bowdoin’s ability to use the Internet.

Davis credited Bowdoin staff and students’ instincts with the swift containment of the attack. Very few on campus opened the email, perhaps sensing that something was wrong — a correct intuition, Davis said, noting that IT would never ask for passwords over email. “Four or five” accounts were compromised in all, but the hackers’ control over those accounts was short-lived because the affected users quickly realized their mistake and changed their passwords.

Rather than increasing security, IT plans to increase the already high level of education surrounding these attacks on campus so that even fewer users will be fooled in the future. 
“The spammers will come up with something better than what they just did,” says Davis, “so just be aware — if something looks suspicious, it probably is.”