By Sonja Filiposka and Anastas Mishev, respectively head and former head of FINKI CIRT
Nowadays phishing attacks are one of the most notorious and dangerous threats to any organisation. It is estimated that the financial impact of phishing attacks could reach up to 5 billion dollars per year. Due to their wide-spread nature and impact, awareness raising for such malicious activities is one of the major cyber security measures.
Human nature is what makes such attacks possible. Based on the social engineering phenomenon, malicious users play with human trust, organisational hierarchy and empathy to lure unaware internet users to give their personal data, their money or any type of private information. The vast e-presence of users, especially on social networks, with very low awareness for such dangers, makes the target pool enormous. Additionally, technical requirements to perform phishing attacks are quite simple, making it easy even for low-tech cyber criminals.
The Faculty of Computer Science and Engineering at UKIM recently performed a phishing exercise: the reasons were manifold. Testing students’ awareness of this dangerous threat was of course the primary motive, together with the need to test institutional readiness, awareness and response. The lessons learned were useful both for students and for the faculty itself. The initiative started as a student project in a network security course; it was communicated to the faculty’s computing center, but with the request not to react to events unless specifically contacted by students.
The tech requirements were quite simple and actually quite trivial for a computer science or engineering students in their final year. Python was used to write a single sign-on page (SSO) mimicking the original faculty’s SSO page. Also, some Python scripts were used to crawl the social networks to acquire the targets’ contact details. Free hosting was used, along with free DNS server and free domain (within the .ml domain, quite similar to the .mk domain used in N. Macedonia).
The SSO page was created including all necessary CSS as well as a validation JavaScript code. All usernames, as well as hash codes of the entered passwords were logged in a database.
When the application was deployed it was strengthened and precautionary measured were taken to avoid being hacked and the discloser of users in the database. This proved to be necessary, since some of the retaliation steps included exploits such as SQL injection.
The main feature that enabled the direct contact with students was the format of the official students’ email addresses. Namely, the faculty uses the format name.surname.X@faculty.domain.mk for the students emails, where X is optional and it is used only if there are multiple students with same name and surname. To make the attack more realistic, no inside info was used, i.e. all the students names were collected from public posts and/or social network groups.
Figure 1. Original vs Fake SSO
The attack started by sending emails to previously collected student names. The email was sent from a fake gmail account, with the official contact email in the From: field. A total of 1009 emails out of the 2160 harvested email accounts. The content was simple: the offer of last minute positions for students exchange in EU and USA. To apply, students just needed to click on the link in the email that led to the fake SSO page. The emails were sent in small batches to avoid blacklisting.
The first login attempt to the fake SSO page was within a minute of the first batch of emails sent. A total of 224 login attempts were made. Since password were not stored, the total number of valid logins could not be fully accessed, but we suspect that most of them were carried out using valid credentials.
Although the students did not have any single point to report such an incident, their response was noticeable. Interestingly, the same social networks that were used to harvest their names, were used to share the experience and raise awareness. The first post mentioning the suspected phishing attacks occurred only a couple of hours from the start of the attack. Interestingly, the students organised themselves and started to retaliate. Many attempts of SQL injections and other attacks were logged. Also, they started to contact the faculty administration and staff and reported to the hosting provider, which resulted in the application being blocked 27 hours after the start of the attack. Later, for the purpose of awareness raising and dissemination, the page was unblocked with a big red banner (see figure 1), informing about the exercise.
All the students who had tried to log in were advised to change their password as soon as possible, and to become more vigilant in the future. A public announcement was posted on the faculty website explaining the dangers of phishing attacks and best practices for protection and prevention.
Lessons were learned at institutional level too. Steps were taken to ensure that student names were not published online, awareness lectures were organised and, most importantly, a CIRT was established to prevent and mitigate future real phishing attacks.
See also: The first steps for the North Macedonian CIRT: Interview with Prof. Sonja Filiposka
About the authors:
Anastas Mishev, Professor at Faculty of Computer Science and Engineering, Ss. Cyril and Methodius University in Skopje, North Macedonia. Former head of FINKI CIRT.
Read more on the GÉANT Cyber Security Month 2020: https://connect.geant.org/csm2020
