back to article Seven in ten UK unis admit being duped by phishing attacks

Seven in ten UK universities have admitted falling victim to a phishing attack in which an individual has been tricked into disclosing personal details via an email purporting to be from a trusted source. The figure comes from a Freedom of Information (FoI) request by Duo Security to 70 universities across the UK, of which 51 …

  1. Anonymous Coward
    Anonymous Coward

    Given the wealth...

    ...of info you can dredge up about Unis on Shodan im not surprised a convincing phishing attack can be pulled off.

    Uni security is pretty up there on the security shit list.

    1. Anonymous Coward
      Anonymous Coward

      Re: Given the wealth...

      That's deliberate. Unis are porous organisations by design. At one level they are just a great big huge cafe and hotel with meeting rooms which the public flow in and out off both physically and electronically. A bit like libraries.

  2. Anonymous Coward
    Anonymous Coward

    Phishing smishing

    You won't dupe a uni employee with the promise of a pay rise by email. We all know that there is no such thing as a pay rise unless you are a Vice Chancellor.

    1. Anonymous Coward
      Anonymous Coward

      Re: Phishing smishing

      My uni has had a number of people fall for phishing attacks over the last few years, but it's true that no-one fell for the recent spate of pay rise ones!

      (AC for obvious reasons.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Phishing smishing

        Certainly my experience in University IT was that the academic staff were the worst for falling for phishing attacks - we had at least one a day merrily handover a password to someone

  3. Palpy

    Roight,then --

    -- this seems to be par strokes for the course. Quoting the Duo.com article: "The most recent data from our free phishing simulation tool, Duo Insight, shows that on average, 13% of users will fall victim to phishing attacks, with 61% of the campaigns resulting in at least one user attempting to submit credentials to our fake phishing page."

    Generally: if your org has computer users, it's vulnerable to phishing. The fact that your org is a uni is irrelevant. Might as well be a Japanese distributor of frozen squid, or a Rio Tinto office in Borneo; chances are better than even that someone in a large organization will click that link.

    1. TRT

      Re: Roight,then --

      Agreed. This is a thinly veiled sales pitch. And FOI request? I very much doubt it. FOI can generate release about data already held; this is a survey.

      As for phishing attacks in the last year... I can recall at least three every week, and those are the ones that got through the mail filters at (1) the service provider, (2) the institutions custom filters, (3) the default filters on the client machines and (4) the custom filters on the client machine.

      As for successful phishing attacks, well I've got a user base of around 250 people and I've only known two people who have succumbed to acting on a phishing mail in the last 12 years and one of those was a clicked in error. Only one user ever admitted to entering their details on a website that was suspicious, and we changed the credentials immediately.

      I call BS fear mongering scare tactic sales techniques on this. They've probably identified universities as having a diverse user base with a wide range of technical skills and identified them as somewhere to sell things... which is exactly what a fisher would do.

      1. tedleaf

        Re: Roight,then --

        One that admitted to it..

        I know of one office,full of highly skilled,highly paid I.t specialists,and even though I worked on a different part of site,these supposedly highly intelligent,specialist folk seemed to be easily fooled,going by the amount of time and effort others used to have to put in to keep the systems secure from phishing attacks,they seem very susceptible to falling for one's supposedly using their own secure internal email system,but as I pointed out to the fire crew,you could have a crook on the books,or your system is not as secure as you think...

  4. Anonymous Coward
    Anonymous Coward

    Duo.com's likely email

    Here is what I suspect Duo's email was. No surprise that they got the answer they got. Ive removed all individual identifiers that I could find. These FOIs we are required to respond to by law. So you can see how information gets out.

    From: request-377112-509ab04f@whatdotheyknow.com

    Sent: 14 December 2016 14:57

    To: FOI

    Subject: Freedom of Information request - Phishing attacks

    Dear University,

    1. What is your policy for using personally owned devices accessing IT applications?

    • We allow access to both student and staff with personal and corporate devices

    • We allow access to staff with personal and corporate devices

    • We only allow access to corporate devices

    2. Do you have visibility into devices that are used to access University applications?

    • Yes

    • No

    3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

    • Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network

    • Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network

    • No, we just use single factor authentication today

    • We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.

    4. What security risks in personal devices are you most worried about when accessing University applications?

    • Out of date software. Ex: Operating systems, browsers

    • Physical security of devices. Ex: passcode lock

    • Jailbroken / Rooted devices

    • Others (Please specify)

    5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

    • We implement all patches/upgrades within 48 hours from notification

    • We implement all patches/upgrades within 7 days of notification

    • We implement all patches/upgrades within 30 days of notification

    • It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.

    • We outsource the patching and upgrade of all our devices and systems to a third party

    6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

    • Yes

    • No

    • Don’t know

    6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

    • 0-5 times

    • 6-10 times

    • 11-50 times

    • 51+ times

    • Don’t know

    6b. If yes, which is the most common target of the phishing campaigns? (please select one)

    • Students

    • Lecturers/faculty staff

    • Employees

    • Other (please specify)

    6c. What type of data was being targeted? (select all that apply)

    • Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.

    • Employee PII

    • Financial/payroll data

    • Research/patents

    • Other (please specify)

    6d. Did you identify the attackers and, if so, are they? (select all that apply).

    • Organised cyber-criminals

    • Opportunistic hackers (non-organised)

    • Political hacktivists

    • Disgruntled employees/former employees

    • Disgruntled students/former students

    • State sponsored hackers

    • Other (please specify)

  5. Doctor Syntax Silver badge

    "Seven universities, including those with GCHQ-certified degree courses"

    Why should having a GCHQ-certified degree course make a difference? It will only involve a tiny percentage of people in the entire university.

    It must be a slow news day if undigested PR bumf like this is making its way into el Reg.

  6. Anonymous Coward
    Anonymous Coward

    Take any population of > 10K users

    I read that as 30% of Universities don't know what phishing means. Or perhaps they lie in response to FOI requests.

    If you take any large organisation that has access to email you're eventually going to get *someone* fall victim to a phishing attack. The interesting bit is how the organisation responds to it.

    1. Baldrickk

      Re: Take any population of > 10K users

      I'd be interested in seeing which side of the line different universities fall...

  7. Palpy

    Oh, and just an example --

    -- this is a good one.

    --------------------------------------------------

    CaseID: 84332174

    The security and protection of your account is one of our highest priorities. We apologize for any inconvenience that precautionary measures we have taken may have caused you.

    Your online account was frozen because you violated the security rules. You need to follow the security link to confirm your identity in order to reactivate it.

    <<Security Center>>

    Thank you for banking with us. We appreciate the opportunity to serve you.

    Bank of America <Dickson.Kevin@BANKAMERICA.COM>

    --------------------------------------------------

    Of course the "Security Center" link is not to bankamerica.com. But the spelling and grammar are correct, the email link looks legit, etc. This particular email landed in an alias email box unconnected to my real name or any real online banking account. But at first glance it's quite a good phishing hook.

    1. WolfFan

      Re: Oh, and just an example --

      I have, in the past, received many missives about my account at BoA. None of them were as well-written as you example, but all have suffered from one fatal flaw: I don't have an account at BoA.

      I have also received missives about my Paypal, EBay, and Facebook accounts, some of them very well written indeed. Once again, the fatal flaw which identifies them as phishing attempts is that I don't have accounts at those places, either.

      I have received missives allegedly from banks, etc., where I do have accounts. Legit ones include my account number (NOT the same as the credit card number, if applicable) or at least the last four digits of the account number, and are addressed to me by name, not 'Dear Customer' or similar. Yes, having the account number (or last four) flying around the Internet could be a security problem, but if it's not there, that immediately IDs the post as highly probably phish. In any case, I NEVER click on anything in the post (and legit posts tend to not have anything to click on, anyway) but instead go to the appropriate site directly, by the bookmark in the browser I use for that site. (I use, depending on OS and site, Safari, Opera, or Palemoon. Chrome is avoided as I don't know what it sends to Google and Edge/MSIE is avoided because Microsoft.) As I normally use Firefox for browsing, should I click on something in error it will go out using the wrong browser.

      Doing it this way generates more work for me, and isn't 100% secure. It does make it less likely that I'll be phished.

      Some sites require that I enter six-digit PIN to access the account, or at least have that setting as an option which I have set up. I have, for example, recently received multiple emails allegedly from Apple yapping about how my 'iTunes account' or my 'AppleID' has been 'frozen' or 'suspended', usually for 'security reasons'. I have 2FA set up on my Apple account. The phishers don't seem to know that 2FA exists. It's particularly amusing to receive a notification that my 'iTunes account' has been 'suspended' while listening to music courtesy of iTunes Match.

  8. Anonymous Coward
    Anonymous Coward

    Levels of Victim

    There's also quite a continuum between "individual user clicked on dodgy link / handed over login details" to "all the organisation's data is deleted / corrupt / compromised / stolen / being ransomed back to us".

    A typical university has 1000s of staff and 10,000s of students all with varying degrees of technical incompetence and/or malicious intent towards the university. The university plans for trouble. So, while it's surprising at my university when a phishing attach *doesn't* net a user. It also doesn't really matter much, as the university systems are actually quite robust to such security failures.

    1. Anonymous Coward
      Anonymous Coward

      Re: university systems are actually quite robust to such security failures.

      Obviously not at KCL, then.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like