Source: University of Otago
With a global cybersecurity threat map (left) and cyberattack map are (from left front) University of Otago IT Assurance and Cyber Security Senior Manager Richard Feist and Cybersecurity Specialists Mark Bedford and Frank Wu.
One click on a really bad attachment can lock you out of your email account for days – and take our cyber security staff about a week of full-time work to dig the virus out our systems.
Every day as half-a-million emails flood into our University, only about 180,000 of them are actually delivered to staff and students’ email boxes, IT Assurance and Cyber Security Senior Manager Richard Feist says.
The rest are stopped because they are from phishers trying to hook staff and students, usually by getting them to click an attachment or link, with the aim of stealing usernames, passwords, to thieve information, commit fraud or hold our systems to ransom.
Waves of wrong
Waves of ‘clicks-gone-wrong’ roll into our cyber security team, as staff and students fall for criminals’ email phishing campaigns – “like marketing campaigns, they do phishing campaigns”, Richard says.
Cyber Security Specialist Mark Bedford says the campaigns usually last several days. Phishers are constantly casting about for more sophisticated ways to manipulate people because IT systems are now so robust, people are the weakest link.
Trying to net more phishing emails before they hit inboxes is fraught at a university with activities covering such a vast spectrum – for example, while a commercial company can block pornographic and Viagra emails, our staff can be researching those things, Mark says.
So, all staff and students need to play their part by being cybersmart, to protect themselves and our University.
When clicks go bad
Cyber Security Specialist Frank Wu finds problems typically involve people clicking on attachments or links in emails – “most people aren’t going to give passwords if they’re asked”.
Sometimes he cleans up after multiple ‘bad clicks’ in a single day, but on average, he deals with one about every second day. Resolving each issue can take anything from minutes to weeks.
Mark says most people are hooked on their phones – rather than at their desk – when they are distracted by trying to do several things at once.
“They’re either in a meeting, or rushing to get out of the office, or at the airport getting a boarding call. And the email will provide some element of compulsion – ‘you will lose access to your email’, ‘click here to win’, an IRD refund ….”
Clicking consequences
The consequences of being reeled in can range from a few minutes’ inconvenience for staff and students in New Zealand, to having their email account locked for days if overseas.
The cyber security team needs to lock accounts and contact the owners, then work through a process – the account is reactivated when their security, along with our University’s, is guaranteed, Mark says.
Sometimes people are reluctant to admit exactly how deeply they were lured in or get angry about their account being locked, but accounts can be reactivated relatively quickly compared to locating and deactivating some malware – viruses, spyware, worms, ransomware etc – that can be included.
On the hunt
Mark spent a week searching for malware he needed to destroy after anti-virus software sparked an alarm.
The malware got in when a student used a University computer to access a non-University account used as a club’s treasurer – examining the machine took three days, then finding the malware took a week and every time Word started, the malware planted more malware programmed to lie dormant for two weeks’ before getting into action.
The student who had clicked on the invoice containing the malware just thought someone had sent it by mistake – nothing looked suspicious, which is usually the case these days, and the malware starts work out of usual office hours.
If IT administrators have been fixing a machine remotely recently, malware can even harvest their details and get the same privileged access to sensitive systems.
Phishers buy information mined from web sites, social media, and online professional networks – or phishers gather it themselves – to target people with emails from organisations and people they will recognise, Mark says.
Hooking the $$$$
Frank dealt with the results of phishers impersonating senior University staff asking their staff to buy i-tunes cards, scratch the backs, take photos, and email them back – so the phishers could use the codes to buy anything they wanted.
He says anyone asked urgently by email to do a financial transaction should go and see the person requesting it, or phone the number listed on our University web site – not the number in the email.
A request for a $1000 transaction should be treated with the same caution as a request for $15,000, he believes.
Never-ending phishing
Mark says most phishers are casting around from outside New Zealand, usually from Nigeria, Russia, or China: “It’s truly a global marketplace and it’s easy to do”.
Literally as he was speaking, a new phish arrived on campus, telling people if they did not follow a link to an email quarantine, all their emails inside it would be deleted.
For the cyber security team, it is “the same office, same work, different job every day”, Mark says.
Don’t feed the phish – check for anything phishy:
Do it now = raise an eyebrow
Phishers often pretend to be senior staff wanting urgent action
If you didn’t expect it, reject it – don’t click unexpected links. Watch for attachments too interesting to be true/totally unexpected/not relevant to your role
Check for trash before the backslash. Always check the URL: Good: https//otago.ac.nz/about/welcome Bad: http//otago.webs.com/about/welcome
Hover to discover. Hovering your mouse over the email address and links shows you the real email address and destination (on a computer screen rather than a phone or tablet)
Password in email = epic fail.
Never reply to an email requesting your password
Spelling and grammar are telling.
Phishers are often bad at them both, and formatting
No name = not the same. Phishers often use generic greetings (dear customer etc), not your name
Be sure of the signature. Look for a full signature – attackers usually sign-off with a generic signature e.g., Customer Care.
Not sure if it’s a phish – drop us a line
Contact AskOtago for help:
Phone: Freephone 0800 80 80 98 (within New Zealand)
Freephone 1800 46 82 46 (Australia)
+64 3 479 7000 (International)
Enquiry form https://otago.custhelp.com/app/ask
Email university@otago.ac.nz
Online chat: http://otago.custhelp.com/app/chat/chat_launch
