Last January the Department of Homeland Security has issued an alert on scams specifically targeting college students where hackers impersonate administrators, staffers and potential employers to gain access to students accounts.
Email phishing has been an issue since computer programmer Ray Tomlinson sent out the first email in 1971, but in last few months there has been a new wave of attacks across the country where college students received an email from someone they think they knew, either an administrator or staffer who had their account hacked.
At first glance the message seems harmless. The email asks the student to either make a wire transfer or check a payment providing an external link or an attachment. Unfortunately, clicking on the link will install a malware.
“Students are often told to double check the sender to make sure they’re not falling for a phishing attempt,” technology correspondent for Inside Higher Ed Carl Straumsheim said in an email to the Courier. “But if the email looks like it’s coming from someone on campus, it can be more difficult to determine if it’s fake.”
Students at Pasadena City College (PCC) have not been victims of this kind of phishing scams but informational technology services (ITS) director at PCC, Matthew Kiaman, said he had seen an increase in the number of reports of phishing emails from employees in recent months.
Kiaman is now working with Human Resources to incorporate information security training for employees, starting with administrators, and he’ll take advantage of the state’s plan to invest more resources in information security training as it was announced during a recent California Community College Chief Information System Officers’s conference.
“We are dedicating more resources both in terms of employee time and software, hardware and money towards security,” Kiaman said. “This trend is expected to continue as the threats by attackers continue to evolve.”
Victims and hackers evolve their defense and attack methods in parallel, and whoever learns faster stays ahead of the game. This means that while victims and email defenses are getting more sophisticated in identifying the attacks, the attackers are also evolving in order to stay effective.
“The attackers are now automating some of their efforts,” said Kiaman. “This frees up their time to research their victims and personalize their communication and attacks to increase their effectiveness.”
According to Straumsheim, hackers are now doing research on who they’re targeting and are doing a better job in impersonating colleges, which makes it more difficult for recipients of phishing attacks to distinguish between what is a genuine email versus a malicious attack.
“It’s not unusual now to see phishing emails that use college logos and colors to trick recipients into believing they are real,” Straumsheim said. “In addition to using college letterhead, hackers will often research directory information to find names and job titles of people on campus.”
There are some general things an informed user should look for to avoid being scammed.
“Everyone is a target,” computer science professor at the University of Santa Barbara Giovanni Vigna said in an email to the Courier. “Everyone should be aware of this attack in the same way in which we are aware that people could pickpocket us, or break into our car.”
Kiaman made a short list of things that should raise a flag such as errors like spelling and grammar in the email, or when the message contains a mismatched URL, which can be seen by hovering over the link in the email to see where the link will actually send the recipient.
Before clicking on any link sent to the recipient’s email, the recipient should always take a look at the sender’s email address.
Another common phishing email asks the recipient to “verify your account” or “expand your mailbox” by filling a form which provides them with additional information about him or her and his or her account, including the password.
“Pretend you are in a room and it has 200 doors,” Cyberwatch West’s Director Corinne Sand said over the phone. “The attacker can come through any door. What you want to do is close as many doors as you possibly can.”
Sande’s job is to train students with cyber skills.
“There is a huge demand for people with cybersecurity training,” Sande said. She’s the director of the Cybersecurity Center hosted by the Whatcom Community College, Washington, which offers a two-year degree in cybersecurity, and director of Cyberwatch West, a national science foundation centered on cybersecurity education that offer supports to colleges who want to develop their cybersecurity program.
“Students need to be aware that not everything that is coming to their inbox is legit,” said Sande. “They should secure their machines with firewalls and antivirus and be careful on what they post on the internet because once it’s posted it never goes away.”
This involves being aware of what people post on their social media. There is an area of security that centers around gathering open sources intelligence harvesting information on people based on what they post on social media.
“People leave trails all over the internet,” Sande said. “For example with Facebook you can learn about that persons and their contacts and their relationship with that contacts. There is a lot of information publicly available and by accessing that info you can assemble a file on that person. There are computerized ways to do all this stuff.”
Sande’s advice is simple.
“Be aware of what you post online, more circumspect about what you want the world to know about you, especially with students, when coming to jobs, it’s very common for the employer to search social media to see what you posted in the past.”
ITS is getting more and more complex because stakes are getting higher. According to the analyst firm Garnet there will be over 26 million connected devices by 2020. More connected devices will create more vulnerabilities, on and off college campuses.
“When people health information, as collected by a smartwatch, will be used for nefarious purposes, people will pay attention.” Vigna said in an email. “Unfortunately, this [the so-called Internet of Things, meaning the devices that can connect to internet and between each other] is a market-driven field and security is almost always an afterthought.”
There’s a risk of becoming paranoid about cybersecurity, but experts agree threats are real. Is it exaggerated to set up scenario in which assassination by an hacked automated car is doable?