Another university’s epic fail
By DRP; Cybersecurity Lab Engineer
There have been few attacks in the last five years that have been more successful overall and on average than the phishing campaigns that have run rampant through the global email systems. The users seem to want to click, click, click, and click again on the links and images. In the newer variants, the user is directed to a URL to enter into their web browser as an additional attack vector. This may be directly noted in the email, or a PDF that is partially obscured, with the URL to venture to in order to retrieve the document intended for the user.
The corporate environment can introduce and have training on what to be wary of in these emails, forward email alerts to current scams with or without examples, posters at the offices and cafeteria stating the obvious things to look for, and unfortunately there will be a subset of users that will click or click multiple times on a phishing email.
After this activity, the user may feel embarrassed or they will be ostracized and not immediately tell the InfoSec team, which only further exasperates the situation. The general format for these attacks has been general phishing or spear-phishing emails. There are subtle varieties of these, modifying the target or delivery, however, the intent and initial delivery methodology are mundane.
With the overall phishing campaigns, one firm has been exceptionally profitable for the phishers in the last three years. The emails do have to be customized, however, it merely takes on hapless finance or accounting staff member to ruin the week or quarter by relying on this. The amounts fraudulently obtained have ranged from tens of thousands of dollars to several million.
Here comes MacEwan University. On August 23rd of this year, the University detected the issue. The phishers sent a series of emails which convinced the staff to change the bank routing number from the one they had been using for one of their primary vendors. The phishers worked to take the identity of the University’s primary vendor through a series of emails.
The end, the detrimental result was $11.8 million in Canadian dollars of the University’s funds were transferred to a Canadian bank and subsequently to Hong Kong. This is not the smallest or largest sum fraudulently obtained via this form of attack, however, it is rather significant.
One action which could have been taken to derail this fraudulent activity would have been simple communication. After the demanding emails being received notifying the person to change the bank routing number were received, a simple phone call by the University staff member to the vendor would have ceased this.
Having a bank routing number change is not a normally occurring event. This generally is an anomaly, which may warrant a simple follow up act. Although the regular training, email alerts, and other cybersecurity activities do not guaranty this will be found, it certainly is helpful and diminishes the pool of potential people that may be successful with. As a lesson, training is beneficial, however, it is still the user that makes the choice to click. If the user has even a not significant level of concern, a simple phone call should be made.