CITES Security | University of Illinois

Authenticated SMTP Users Must Reset Passwords

Background

The University of Illinois is currently in the midst of phishing attack, both generating and receiving massive amounts of spam and phishing emails, which is negatively affecting the University's ability to conduct business. We have identified the CITES authenticated SMTP service as having a greater chance of being used to send spam from the University. Because of this, we are asking all users of this service to reset their passwords in the chance that your account has been compromised. We are sending notices to all authenticated SMTP users to detail the steps that you should take to reset your password to protect yourself and the University.

The email you received is sent from the CITES Security (security@illinois.edu) and does not ask you to reply with your password.

No University employees will ever ask for your password. If you have replied to an email or phone call and provided your credentials, you were likely the victim of a phishing attack. For more information about this type of attack, please see https://security.illinois.edu/content/phishing.

Password changes for your University passwords should only be made using the CITES Password Manager page https://passwords.cites.uiuc.edu.

Why did I receive this message

You received this message because you use the CITES authenticated SMTP email service and there is a chance your University of Illinois email account is compromised. The email you received should look like the example below (in this case alerting Alma Mater about her account).

To reset your password use the CITES Password Manager page https://passwords.cites.uiuc.edu. If you use your University password for personal accounts, or have account information for personal accounts in your University account you should also take actions to reset these passwords. If you ever have questions about whether an email you receive is legitimate you can contact the CITES Help Desk.

Resetting Your Passwords

When resetting passwords here are some best practices to keep in mind:

Example message to Alma Mater

Subject: [Alert] - Password Reset Required
Sender: CITES Security (security@illinois.edu)

Hello Alma Mater,

In response to the recent phishing attacks against the University of Illinois, CITES is asking specific email users to reset their passwords by noon on Monday, April 8.

We have determined that accounts using the authenticated SMTP email service are specifically at risk of being used to generate attacks against the University if those account credentials have been stolen.

As a precaution, we are requiring everyone that currently uses the authenticated SMTP email service to use the CITES Password Manager to reset their University email password to a password that they have never used before.

We cannot confirm an actual compromise for your individual account. But for the security of our email system, you must reset your University email password using the CITES Password Manager. Keep in mind that you might use this password for other services in addition to email.

If you do not reset your password by Monday, April 8, you will not be able to use the authenticated SMTP email service, which may limit your ability to send and receive email.

When resetting your password, please make sure to use a password you have never used before, and to reset your password on a computer that is free of malware.

It is important to remember that you will never be asked for your University credentials by any University employee. If you have replied to an email or phone call and have provided your credentials, you were likely the victim of phishing. 

If you have any questions about your University of Illinois account or this email, please contact the CITES Help Desk (consult@illinois.edu or 217.244.7000). You may also call the CITES Help Desk to confirm the authenticity of other emails sent to you.

You can confirm the authenticity of this email by visiting the CITES Security site (security.illinois.edu) and clicking on the Security Announcements Archive box on the right side of the page. That archive will contain more information about this phishing attack, as well as a copy of this email.

Thank you,

[Security Officer]