ILLiad ALERT: Reports of unauthorized Interlibrary Loan article & book chapter requests
Atlas Systems has received reports from several institutions over the past few days regarding ILL requests submitted from legitimate patron accounts that are not legitimate requests. In our investigation so far we’ve found the following:
- Requests are typically submitted for users who have not used the system recently. Often the targeted accounts have not been used in years.
- Several requests are submitted for the same user about the same time.
- The requests are often for the same titles in multi volume sets.
- Requests are often for Book Chapters with notes asking for “color copies (color illustrations)”
In reviewing ILLiad DLL logs and transactions we can see that someone appears to have scripted login attempts that submit batches of what seem to be older usernames and passwords against ILLiad login pages to see what is successful. In many cases the usernames return the error “Username not found in database” so it looks like this person acquired old sets of credentials somewhere and is just trying them out to see what works. We have seen no evidence of any ILLiad data breach, these attempts suggest that the hacker has obtained files of accounts and passwords, likely older sets since most of the attempts fail with usernames not actually in the database.
We have recent reports of this activity from locally hosted, Atlas Systems hosted, and OCLC hosted users. This is reminiscent of similar incidents we reported on about a year ago.
What you can do now:
- Update to ILLiad 9.0.X to take advantage of the new password features including complexity, forced reset, and expiry to deter this activity in the future.
- Watch for unusual request activity such as a new batch of requests from an inactive user.
- For ILLiad 8.7.X users, change your SLUsernameNotInDatabase and SLPasswordIncorrect Status line error messages in Customization Manager to be less specific like “Invalid Credentials.” This is already taken care of with version 9 and the new status line SLLoginFailed.
- Contact Atlas Systems to block patron accounts with no new requests in over a year (or other time period of your choosing). Blocking will require staff intervention to unblock. This work requires a database backup and a SQL query to be run by support staff or your SQL server administrator.
- Atlas Systems as well as OCLC have firewalls in place protecting hosted servers. Atlas Systems has blocked several suspect IPs already and we are looking into additional monitoring.
- If you are self-hosted, alert your IT staff to monitor your network and firewalls for unusual activity targeting your ILLiad server.
Some things we are looking into to help you combat this in a future release:
- An enhancement to import the IP address of the requester into the transaction record so we can flag suspicious requests from the same IP.
- Flag requests from inactive accounts.
- Two-factor authentication options
Atlas Systems staff members are available to assist you with investigating these incidents and we would like to hear from you if you discover this activity on your system so we can continue to build and share information about protecting against and preventing unauthorized ILL activity.
Comments
Here is a quick update on this topic. We recently heard from a couple of other ILLiad users that bounced emails are often an indicator that an account has been targeted for this activity. The hacker will get into the account and change the email address so notification bounces and the legitimate owner of the account does not have the chance to notify ILL staff that they did not make the request.
A Justice Department press release from last year describes very similar activities.
On Thursday, April 25th Genie Powell will review what we've learned and discuss new security features of ILLiad 9.0.x and other ways you can make ILLiad as secure as possible to prevent unauthorized use. Register for ILLiad in Focus at https://register.gotowebinar.com/register/7917854109377948940
https://training.atlas-sys.com/Course/ShowEmbeddedVideo?videoid=15803 Recent Atlas webinar with security information at timestamp 27:40 reviewing the community article above and version 9 update security enhancements.
Please sign in to leave a comment.