70 % of MUNI students fell prey to fraudulent e-mails
These were the findings of David Magušin’s research, in which he took the role of a cyber attacker to see how 215 Masaryk University students responded to fake phishing e-mails. An actual attacker, if successful, could use IS to terminate their studies, change their scholarship bank number or send counterfeit email with malware attached on their behalf.
As part of the master’s thesis research, three instances of phishing e-mails were sent to students that resembled authentic university communications. The preparation of these simulated phishing attacks and study necessitated a thorough and systematic methodology tha lasted several months. Simultaneously, it is vital to note how simple it is to create phishing e-mail today. An example of a simple method is the acquisition of munl.cz domain, which mimicked the real domain muni.cz, for less than 200 CZK.
This article will inform you about:
- The appearance and sophistication of used fake e-mails. ⏩
- The study’s findings, including other noteworthy discoveries. ⏩
- The potential impact of the attack if the attacker gained the student’s password (with a real-world scenario). ⏩
- How to defend oneself and which security technologies to use. ⏩
- What extra we have planned for you. ⏩
The First E-mail: Fake alert from the library
The sender’s credibility was increased by using publicly available information from Masaryk University’s official website. The e-mail included a link to the current price list, which includes penalties for late payment.
The Second E-mail: Extraordinary scholarship
To boost credibility, existing information on the Masaryk University website about the confirmation of the prerequisites for getting the accommodation grant was used, with the last possible deadline of November 30. This information was utilized in a fake e-mail, which reminded the student to "confirm eligibility by November 30."
The Third E-mail: Confirmation of exam dates
To boost credibility, the information accessible on the is.muni.cz website about how to reserve a slot on an examination date at IS MU was used. These instructions were simply copied into the body of an e-mail.
What was the result? 70% of students fell for phishing
After three rounds of simulated attacks, it was determined that up to 70% of students (150 out of 215) used a genuine password at least once in the phony login form. 26% done so more than once. The majority of students fell to the second round of attacks, when 44% (94) of them provided their login information on the false website.
Further information about the research
Why this experiment, and who gave permission to carry it out?
The amount of cyber-attacks at Masaryk University is steadily rising, with phishing e-mails being the most common. Their rising number and sophistication make users more vulnerable to discovery. Despite advanced technical precautions (e-mail filters, SPF, DKIM, and DMARC authentication protocols) and active blocking of suspicious addresses, these approaches are not completely effective, and several dozen compromised accounts have been discovered so far.
In 2022, Masaryk University recorded over 197,000 cyber attack attempts, 1,642 of which required direct intervention (see chart below).
There are several approaches to test whether a person can detect a phishing e-mail. However, the attack simulation replicates a real-world scenario in which a user receives an e-mail during a typical school or workday. As a result, responses to such e-mails can be considered most likely, even if a genuine attacker was behind the attempt.
All research participants agreed to send the simulated phishing e-mail and were assured that their data would not be compromised if they fell to the attack. In addition, all data entered was destroyed once the experiment was done. The simulation of the attacks was conducted in collaboration with the MU Cyber Security Team (CSIRT-MU), and all relevant departments of the university were informed about it.
How did students of individual faculties react to phishing attacks?
The outcomes were very close. Only the Faculty of Medicine (MED) and the Faculty of Arts (PHIL) have a more significant difference.
The study included students from all faculties of Masaryk University. The table below displays the detailed distribution of participants into two groups* based on faculty and gender, as well as the total number.
*After falling victim to the attack, students in group 1 were given a brief phishing training session (they entered a valid primary password).
How effective was the training of the students?
After falling victim to phishing, several students received a brief lesson on how to defend themselves against it. The graph below depicts the frequency of phishing attacks based on whether or not training was provided. As you can see, more students who did not attend the course fell victim to phishing on three separate occasions. However, we were unable to validate the statistical impact of training on whether or not fall victim to phishing. Consequently, it could be a coincidence rather than a meaningful training effect. As a result, more simulations should be performed on a bigger group of individuals.
How many students have reported a suspected cyber incident to the MU Cybersecurity Team?
Although up to 70% of students succumbed to phishing, only 0,6 % of students reported a suspected cyber security incident to the MU CSIRT-MU team – only four times, twice by the same student. The earliest report was 2 hours and 37 minutes after the phishing e-mail was sent.
Why is this data both important and alarming?
In general, less than 1% of users realistically report a suspected cybersecurity incident. Masaryk University obliges users of MU IT services (which include students) to immediately notify CSIRT-MU of a suspected security incident.
The informational value of the first report is considerable. Timely reporting is important first of all to minimize the impact and block further phishing delivery. Large-scale campaigns usually take higher units to tens of hours and by blocking, CSIRT-MU can stop part of it, but mainly to block the phishing page so that users cannot get to the page after clicking on the link in the email and thus cannot fill in their data.
Impact of attacks: dropping out, stealing a scholarship money or misusing a crisis contact
-
Attacker may terminate student's studies
"The attacker finds me uninteresting as a student and in the end probably doesn't even care enough to see my schedule and grades in IS..." could he really just see the student's schedule and grades? Not really, he could terminate the student’s studies if he obtained the primary password, and again, the exact instructions on how to do so could be found on the official university website. In IS, a student can drop out of his/her studies through a few clicks and without giving any reason. After obtaining the primary password and logging into the IS, the attacker would of course have the same rights.
-
The attacker could also change the student's bank account number and misuse other information
In addition to dismissing studies, the attacker could also change the student's bank account number. The accommodation or other scholarship could then go into the attacker's wallet. Therefore, an attacker's acquisition of the primary password could cause direct and financial loss. Do you know what you have stored about yourself in your IS? ID or phone number, birth number, crisis contact number and many other personal and sensitive data that can be misused by an attacker. You will have seen a news report about an attacker obtaining the phone number of a colleague or relative of the victim, posing as a friend or colleague and calling with an urgent request to send money for emergency surgery or to buy a return ticket.
-
The most common misuse of access – fraudulent messages sent in your name!
Most often, however, attackers use access to the system to send additional phishing e-mails. The following is a real-life example. An attacker obtained a person's login credentials from the MU Faculty of Social Studies and then used his email to send a sophisticated e-mail message. This was a so-called compromised account to which the attacker had access. You probably wouldn't expect someone to misuse a QR code like that.
Defense: What should we take from the research?
- Remember that for MUNI's Unified Login (used for logging into the library catalog, etc.), it will always be in the form of id.muni.cz, and logging into IS MUNI will be through muni.islogin.cz. Any minor change in the web address indicates a spoofed website.
- Generally, we recommend following three simple principles for secure electronic communication. The next time you browse through emails in your inbox, focus on:
- Checking these three things will only take you a few seconds, yet help you avoid a lot of potential problems.
- And if you discover a phishing e-mail in your inbox, even if you only suspect it, don't hesitate to report it. By reporting it, CSIRT-MU can stop the spread of phishing - for example, by blocking the fraudulent site linked to in the e-mail. In addition, we can inform and alert other users to an ongoing phishing campaign.
Defense: Use security tools
There are other tools such as password manager and multi-factor authentication (MFA) that we recommend you install to increase your security against phishing attacks.
Password Manager
Password Manager stores and encrypts your login credentials. You only need to remember one strong password to protect all your accounts. The following video will first guide you step-by-step through the installation of the Bitwarden password manager. Next, we will focus on its most common practical uses – automatically saving and filling in login details.
Multi-factor authentication
However, if a student entered his or her login credentials on a fraudulent site, multi-factor authentication (MFA) could have saved the student from having his or her password stolen. The point of multi-factor authentication is simply not to rely on just one password. Imagine that someone has obtained your online banking password. They log in and try to transfer your money. However, that's when the bank will ask him for the codes from the verification SMS or the confirmation in the app (which are the next stages).
MFA is also provided by Masaryk University, and a short and simple video tutorial (only in Czech) is available for IS on how to confirm login by entering the 6-digit code from the authentication app. In addition to the code, you can also set up authentication via Citizen Identity.
For services that use MUNI Unified Login (MUL), for example, the library catalogue, we recommend using multi-factor authentication with a "security key" that provides domain authentication. Instructions and a comprehensive explanation can be found at the link below.
A few closing words
In today's cyber-centric world, it is crucial to be aware of risks and know how to address them. Masaryk University tries to filter phishing emails so that none reach you. Still, no measure is 100% foolproof. That is why we, the staff and students at the university, need to raise our awareness of cyber threats and be able to counter phishing. Be vigilant, check sender and link addresses, avoid opening suspicious attachments, use multi-factor authentication and password managers. Contact the CSIRT-MU team immediately if you suspect a cyber-attack.
Practical bonus
Phishing Quiz
Can you spot the fraudulent phishing email that appeared in your inbox? Let's verify it in a quiz!
There are 10 questions in total in the quiz, in the form of sample emails. During the quiz you will already know whether you have correctly identified the email as a phishing or a legitimate message. If you manage to answer at least 8 questions correctly, you will get access to bonus content. Good luck!
Click on the preview to see the full size image.
