„Hello, your university account has been hacked. Please send us the password for this account as soon as possible so that we can secure it. Sincerely, The Cybersecurity team.“ We will never send you such an e-mail, ever. But someone else might...
The weakest part of the system
Imagine that you are a hacker and need to access a particular person's data. You have two scenarios to choose from. Either you try to bypass several technological security measures, which means a lot of work, time, and money. Or you simply ask the person for their password.
The example is simplified, but the key idea is valid. It is usually much more beneficial for an attacker to target a human than to try to overcome technology. We are busy, lazy, and overloaded with information, and our decision-making is not nearly as rational as we would like it to be. In other words: we make mistakes, and attackers know it.
The techniques targeted at people are called social engineering techniques. Under the sophisticated name is manipulation and cheating. Every social engineer strives to force the victim to comply with his demands. This is the core of social engineering. For example, they ask you to click on something, download something, send them some information, or make a payment. Social engineers can have different motives and, therefore, different requirements.
Nevertheless, it is not always a straightforward request for passwords or payments. Any information can be valuable for a social engineer, it depends on his goals and motivation. It is common for an attacker to obtain pieces of information from multiple sources and then use them to carry out a sophisticated attack. Social engineers can convincingly play several roles. Very often, they pretend to be employees of the IT department or other trustworthy persons. They use a variety of attack methods to achieve their goals. Some of them are even done directly in person. However, you can most often encounter attacks via e-mail. That’s why we will focus on such cases further.
The term phishing is derived from the word fishing. That’s because the attacker is like a fisherman who casts a lot of baits. It is enough for him if only a tiny percentage is caught. And it often catches. Bait usually forms an e-mail that looks credible and often also affects emotions. One typical attack pattern is that the attacker arouses fear and confusion in the victim and offers a simple solution in the name of some authority. With such an example, we started this article. The catch of insidious fishermen is the user's digital identity, log-in details, passwords, bank card numbers, or payments to the fraudster's account.
A more sophisticated version is spear phishing (targeted phishing), which uses previously obtained information about the victim. Messages can be constructed to mimic a trusted sender as closely as possible. This way, the attacker tries to convince the target person that it is an authentic message. Due to greater targeting of specific users, this method achieves a more significant effect than a regular phishing attack.
The number of phishing attacks has been increasing for a long time. Unfortunately, it is no longer the case that the language barrier protects us. Current attacks use fluent Czech language. The CSIRT-MU has already detected several phishing attacks aimed directly at Masaryk University. The last campaign took place less than a year ago. In it, the attackers warned against phishing and encouraged them to activate security against it. The link was directed to spoofed pages, so any data entered was headed directly to the attackers.
How to protect yourself
It is important to know that social engineers exist and, at the same time, keep a permanent critical distance from the requests which we receive in e-mails. So beware of clicking, downloading, sending information, or even money. We should especially sharpen up when the request concerns exploitable services or information. You can read more about this in our previous article. Warning signs are fear-mongering, time pressure, arousing curiosity, or offers of easy profit.
If you believe you became the target of such an attack, don’t hesitate to report it to The Cybersecurity Team of Masaryk University. You will help not only yourself but also others. At the same time, don’t forget that preventing fires is much better than fighting them. Critical thinking is, therefore, the best protection whenever someone tries to trick you.