Phishing shame

And what WUR is doing to reduce the risks

The number of phishing attacks around the world rose by 220 per cent during the pandemic

In October last year, WUR was the target of a major phishing attack. A student who became a victim of the attack tells us how she fell into the trap and an IT Service Desk worker explains what the university does to stop such incidents.

She could still die of embarrassment. The 24-year-old Food and Nutrition student Amy (not her real name) was the victim of a phishing attack on the university. Her mistake: she clicked a link in an email that she thought had come from a fellow student asking for help.

It looked like a serious email. She had to click the link, which took her to an environment that looked exactly like the WUR environment. Amy is someone who likes to help and this time too, she did what was asked of her almost without thinking. Until about a week later, when she got emails and text messages from various students and even a lecturer complaining about the weird email she had apparently sent them. She was not aware she had done anything wrong but it began to dawn on her that she had fallen into a phishing trap.

Illustration Marc Kolder

The bugbear of every organisation

Phishing is the bugbear of every modern organisation. The method assumes there will always be that one employee who walks into the trap without thinking, with major consequences. The attackers who held Maastricht University’s computer system to ransom used phishing. Ultimately, 267 servers (including the backup server) and two workstations were compromised and encrypted. The university eventually had to pay almost 200,000 euros to be rid of the hacker.

In the Netherlands in the past year, online fraud caused millions of euros worth of damage, often by making use of a specific kind of phishing known as spoofing to obtain bank details. According to the Phishing and Fraud report published at the end of last year, the number of phishing attacks worldwide rose by as much as 220 per cent during the pandemic. The researchers at F5 Labs say fraudsters were able to exploit the fears of internet users by sending emails with subject lines such as ‘Covid-19 in your area?’ and ‘Message from the World Health Organization’.

In contrast to hacks involving sophisticated technology, in phishing fraudsters use a combination of technology and psychology. This is termed ‘social engineering’. A famous Cambridge study in 2013 lists the most commonly used persuasion techniques. The most popular ones are authority (appearing to be sending an email from an official institution such as the university) and urgency (in the past year that was often the pandemic).

Five tips for spotting phishing

1

The email doesn’t address you personally; the start is generic.

2

Poor grammar with spelling errors can be a sign of phishing, but that doesn’t mean error-free emails are always safe!

3

Be on your guard with web links with urgent requests to log in or provide personal information, or else...!

4

The sender’s display name looks official but the actual email address does not match it.

5

You have to open a file or click on a link to understand what the email is actually about. Don’t do it!

The main fear for knowledge institutions such as universities is that data is stolen or hijacked until a ransom is paid, as at Maastricht. Wageningen too is regularly the target of phishing attempts, as we wrote in a previous issue. Most of the millions of attempts are intercepted by the IT department’s advanced virus detection system and spam filters, but the occasional phishing email does get through.

Ransoming data

The attack that affected Amy and 1700 other students started on Thursday 22 October 2020. If the other student clicked on a link that appeared to be to a PDF file, their account was hacked and the same email was then sent to around 1000 people. “A lot of people trusted the email because it came from a real WUR address, albeit one that had been hacked,” explains Martijn Sueters of the IT Service Desk. “The hackers had replicated the WUR environment perfectly so it looked as if you were logging into the university’s OneDrive. We think their aim was to get hold of as much login data as possible.” Once the IT department was notified, the problem was not dealt with as smoothly as it could have been. Sueters: “Unfortunately, it wasn’t until Monday before the email was recalled and a warning message was issued via intranet and the student portal. This delay has led to three additional account hacks, which luckily was the end of it, thanks to an adequate response from the IT department.” For future reference, Sueters advices to use the ‘Report Phishing’ button in Outlook – this way Outlook will detect and remove phishing emails automatically.

Fraudsters use a combination of technology and psychology in phishing
A lot of people trusted the email because it came from a real WUR address, albeit one that had been hacked

Two-factor authentication

In the last while, they have been working hard on the best way to prevent phishing and other forms of online fraud, namely two-factor authentication. After you log in, the system sends a unique code to your smartphone that you then have to enter as confirmation. Sueters: “However secure this may be, the implementation still met with some resistance within the organisation. It can be a hassle for people who log in on behalf of someone else — take secretaries, for example.”

Sueters has doubts whether this system will put an end to phishing for good. “If the simple method for finding out someone’s password no longer works, they will try more complex methods such as installing malware on the device via an attachment.”

Awful feeling

Student Amy was left with an awful feeling about the attack. “Mainly because I’m quite a shy person and I would never send an email just like that to large numbers of people, certainly not to lecturers, so I felt uncomfortably in the spotlight.”

She had no real complaints about the help she got from the IT Service Desk. “My email account was blocked for a couple of hours. After that, I changed my password and I was able to use everything again. I am more careful now about clicking links in emails.” Although she didn’t want to be in this article under her real name because she is so ashamed, Amy does feel it is important to tell her story. “Actually, I thought the university should have warned us about the risk of such attacks more often. So now that there was an attack, of course I have to tell everyone what happened to me.”