illustration of a burglar with a fishing rod stealing someone's computer screen

Gone Phishing: How to Avoid Getting Hooked

As regular posters on Schmidtposting will know, the university has been targeted by online cyber criminals in recent months. They have been trying to lure us, students and staff of this university, into divulging the login credentials that we use to access ISIS, Wattle and Outlook. A small group of students, including a recent graduate, and a researcher at the ANU Cybercrime Observatory, has been investigating these attacks. We have chosen to publish this information in the hope that by raising awareness of these phishing attacks, we can decrease the likelihood that you will fall victim to them.

What’s going on?

Email scams have been a part of life for decades. Spam emails, promises of wealth and fortune, winnings from lotteries that you never participated in, and phoney job advertisements are as ubiquitous as Facebook and Twitter. The vast majority of these emails are sent out en masse, to millions or billions of email addresses at a time. The spammers do not need many victims to turn over a profit; a response rate as low as one in twenty thousand is more than enough.

What we’ve seen over the last few months is different. Cyber criminals are attempting to steal login credentials from as many ANU people as possible. They then use these credentials to send more scam emails out from the email addresses owned by their victims – the reasoning being that you are more likely to trust an email from another ANU student.

We are not sure why they are targeting the university; there are some possible motives.

– Surveillance of academics and/or students,

– Economic espionage,

– Intellectual property theft,

– Good old fashioned financial fraud.

In our research, we have found that in other high-profile hacks, spear phishing attacks generally represent the first stage in a concerted assault on an organisations’ computer systems. For example, spear phishing was used by Russian state actors to gain access to the Podesta emails in March 2016. Some of our academics have been targeted with sophisticated spear phishing emails, carrying a poisonous malware payload, which does lend some weight to the theory that external agents are attempting to gain persistent access to the ANU’s networks.

What do we know?

The short story is that, based on the evidence that we have collected, we believe that a group of cyber criminals are deliberately targeting the ANU. We can reveal that this cyber-criminal claims to be a Russian national based in Moscow.  

We’ve been collecting these phish emails from victims, and analysing them. We found that the quality of the language used, and the ‘story’ or hook, varies from email to email. They range from the very basic ‘You have unread messages in your ANU mailbox,’ that is sent to everybody, to very sophisticated spear phishes emails targeting a specific academic, as mentioned above.

The software which the criminals are using to steal login credentials are standard, off-the-shelf scripts. They are hosting these malicious scripts on compromised web servers. We do not know whether they compromised these web servers themselves or bought access to them off the dark market.

These attacks appear to be rather unsophisticated. The criminals have made basic mistakes; for example, in one attack, we were able to shut down the malicious website and obtain a list of everyone who had fallen victim to the scam. This included some senior academics and administrators, who were quickly telephoned and advised to change their passwords.

In other cases, we were able to obtain the email addresses used by the criminals, and then followed these to a social media profile that appears to be owned by one of them. Attribution is a tricky business. From our research, we understand that this cyber-criminal claims to be a Russian national based in Moscow.  It is entirely possible that the profile is a fake, but given the relatively unsophisticated nature of these attacks and the errors alluded to above, we consider it unlikely that the profile has been set up with the intent to deceive investigators.

How to prevent getting scammed:

ITS work hard to block scam websites, but they aren’t always able to respond before you open your email.

Your best defence is to assume that every email is suspect. Email is still not a secure form of communication, and it is a trivial matter to send an email that appears to have come from someone else’s email address. In our Observatory, we have the ability to send emails from any ANU email address we choose.

To steal your username and password, cyber criminals will often create fake copies of websites you know and use in your day to day activities. They rely on your not noticing that the website that opens in your browser is not a legitimate website. Fortunately, it’s easy to tell when you’re looking at a fake – if you know what to look out for.

Always check that the web address in your browser is correct. ANU websites have addresses like https://isis.anu.edu.au, http://wattle.anu.edu.au, or https://outlook.office.com/owa for your emails. Compromising these sites is incredibly difficult, so instead scammers create replicas of these sites with obfuscated web addresses.

Here, for example, is one of the sites that we use for our research in the Observatory. (it won’t harm your computer, but please don’t log in)

http://wattle.anu.edu.au.cybercrime-observatory.tech

The most important part of the web address is the right-hand side. If it doesn’t end with ‘anu.edu.au’, it’s very likely to be fraudulent. Some browsers, such as Chrome, will automatically highlight the relevant part of the web address for you.

Sometimes the URL that you see in the email you receive will be disguised to look like a legitimate website address (http://isis.anu.edu.au), but the website that loads when you click the link is a dodgy phish website (http://isis.anu.edu.au.cybercrime-observatory.tech).

They might use a web address that looks very similar to a legitimate address. For example, www.annu.edu.au, or www.micr0soft.com. Again, they rely on your not noticing that the address is slightly wrong.

These emails almost always contain some ‘call to action’. They’ll use different types of emotional manipulation to get you to respond, including

– Direct threats (‘Your account will be shut down, click here to verify it is still active’),

– Fear (‘Your account is compromised, click here to reset your password’),

– Confusion (‘You owe us money. If you believe there has been a mistake click here to report it’),  or

– Surprise (‘Click here to claim your free Ed Sheeran tickets’)

If you suspect that you may be a victim of an online scam, change your password immediately and notify ITS by calling their service desk on 6215 4321.

Our research into these attacks is ongoing. If you receive a phishing email, please forward it to us at cyberobs.anu@gmail.com.