“Lewis & Clark didn’t get hacked. Individuals did,” Adam Buchwald said, Chief Information Officer of LC’s IT Department, on the subject of the recent phishing attempts. As of the time of publishing, there have been two major campus-wide phishing attempts during spring semester 2017: the first after the announcement of David Ellis as Interim President on Jan. 19 and the second on Feb. 15, shortly after the campus-wide password reset.
“Here’s what really made the hair on my arms stand up: within hours of the announcement of the announcement of our interim president, that phish was delivered to over 3500 recipients here,” Jessica Odom, Information Security Officer of IT, said on the subject of the original phishing attempt.
Phishing attempts, where cyber criminals seek to steal information from individuals through email scams and other methods, are nothing new for most large organizations. However, for educational institutions like LC, these attempts are both novel and precisely targeted.
Unlike the stereotypical Nigerian Prince scam or other obvious phishing attempts, the latest ones have incorporated information about the LC institution itself in order to be more convincing to potential victims. For example, the Feb. 15 attempt included a malicious link to a fake Webadvisor site, meant to trick victims into mistakenly inputting their login credentials, giving phishers access to their accounts.
“Higher education is now a target, and we weren’t necessarily a target before. What we’re really known for is we’re open. That’s sort of our nature; we want to be open and public,” Buchwald said. “We’re always in this tension of how can we allow academic freedom and not lock things down. That allows a few more gaps that they’re starting to learn to take advantage of.”
IT has engaged with local authorities, the FBI and even the IRS and have found that LC is not alone in being targeted. But, why now, of all times? Because it is tax season. The goal for phishers is to steal contact information, social security numbers and the like in order to pose as someone else, file their taxes for them and steal their tax return.
“This is very targeted at W-2 information. These phishing attempts are seasonal and we are in the height of tax season,” Buchwald explained. “What they try to do is get enough W-2 information to go file taxes on your behalf and get your return. It’s a clever little game they’ve had.”
IT has identified and is currently tracking two IP addresses that have been linked to the phishers.
“We know where they’re connecting from. There’s two IP addresses that we were following for quite some time and they did not change,” Buchwald said. “That tells me they are not a very sophisticated hacker. Which means we’re lower hanging fruit. It doesn’t take the super secret phishing knowledge of how to set up the technology. It’s actually just tricking someone. It’s social engineering. The lowest form and the easiest to pull off.”
Lower hanging fruit or not, IT has a set procedure for handling phishing attempts directed at LC.
“When we see a phishing attack that is targeted at the school, the first step we take is to send out a mass email warning students of the attempt. Once this is done, we will start to figure out the origin of the attempt and possibly the motive behind it. If we have sufficient proof that the site is solely being used to phish we can submit a request for the domain to be taken down,” Pim Trouerbach ’18 said, a computer science major working under Odom.
However, the frequency of normal phishing attacks doesn’t always merit this response. Indeed, as Buchwald noted, “We have phishing attempts go on all the time. … [O]ver the last two months, we’ve had about a dozen of them. You didn’t know about them, because they weren’t everyone, they were pockets and we always alert the people who got that phishing email.”
The term for these more successful and targeted attempts is “spearphishing,” where criminals utilize precise attacks in lieu of mass email scams in order to steal user information.
There are several ways this is done. First, phishers may send out one or two targeted emails in order to, “get one person to bite and then they compromise that account… Then they start the big phishing campaign where they send out thousands of emails to people from within,” Buchwald said.
Another method is “spoofing,” where criminals compromise an unrelated account and make it look like an LC account in order to start their phishing campaign. Alternatively, they may also completely copy the look and feel of one of our trusted sites, such as what happened with the fake Webadvisor email on Feb. 15.
“This message [that was sent] was very short and had a link to a malicious site that looked identical to Webadvisor,” Odom said. “All of the graphics, all of the links even to take you back to the main page and everything [was] completely accurate. If you weren’t paying attention, you would innocently just go there…you could easily be fooled into just logging in. Which of course naturally, they’re taking your username and password at that time.”
Regardless of the method, there are ways for users to protect themselves. Regular changing of passwords is necessary, but other methods, like two-factor authentication, are usually effective. Two-factor authentication requires a user to not only enter in their password when logging in, but also to add in another, separate factor, such as a code sent to a phone via SMS or through the insertion of a USB key. Although two-factor authentication can be set up easily on one’s own, it can be difficult organization-wide.
As Buchwald noted, “It comes down to a cost issue. Information security is always expensive, always takes a lot of work, but has great payoffs.”
However, even two-factor authentication via SMS is not always sufficient.
“The SMS technology is not actually as secure as we think it is. I can spoof your number and receive your second factor,” Odom said.
In the end, it comes down to the individual, as well as security education. Even with education and vigilance though, phishing can still be difficult to combat.
“We have to train individuals how to not get tricked. Here’s the hard part: the success of phishing rates across the country is about 40 percent,” Buchwald said. “You can drop that around 12 percent with large education campaigns where you spend a lot of effort. But no one’s gotten it down to zero. There is always someone who just says, ‘I’m gonna click on this. It’s a button and I want to hit a button.”
Trouerbach echoed Buchwald. “Phishing has always been a huge issue in the security community because it relies on the one aspect that cannot be patched or fixed: human beings.”
For those interested in learning more about internet security and how to better protect themselves, check out IT’s webpage on info security.