A painfully short time ago, I wrote about how the IT Department here at the University of Not-Bielefeld spent the better part of a coffee break designing a foolproof system to save its employees from themselves. Spam and phishing e-mails were multiplying exponentially to pandemic proportions so something desperate and drastic had to be done. And fast.
But, because things were not bad enough to resort to having people think for themselves, the solution was to include an extremely gaudy label heading up all e-mails originating from outside the University to warn people of this exceptionally malevolent fact and to advise them to generally be afraid. Be very afraid. Steve Jobs would be proud: cutting-edge security, intense creativity, and incredible design all in one.
Nevertheless …
I received an e-mail just the other day, ostensibly from the University’s IT Service Desk, with an important “Payroll Update Alert”. (Their capitals, not mine.) Although it was officially only an alert, the e-mail still instructed me to click on the link it contained so as to open an admittedly extremely well-done fake up of a University webpage where I could enter my University ID and password. All in less than 25 words (18 to be precise) and all in English. How many giveaways do you need?
Probably one more because that all-important, life-saving, gaudy warning banner was missing!
How did these cunning fiends manage to subvert the IT Department’s intricate security perimeter? Did they engage the services of REvil, the for-hire hacker group that has recently crippled numerous large firms in the US with their ransomware attacks and who suspiciously disappeared from the internet on the exact same day I received the phishing e-mail? (Some call it conincidence. I believe otherwise …) Was this some form of state-sponsored cyberterrorism that our IT Department would understandably be completely helpless against?
Nope, the phisherpeople simply lied …
Looking at the e-mail headers, it was immediately clear that the e-mail originated off-campus and, in coming from Manchester in the UK, outside of Europe as well. All the hackers did was to spoof a University of Not-Bielefeld e-mail address as their return address and the security system went for it. So much easier and cost-effective than trying to hack into a real University account if you think about it. Simply tell security that you’re with the company and then tell someone in the company to give you all their credentials and, et voilà! (although I suppose that “and, et voilá” is a bilingual repetitive redundancy), you have hacked your way into a real account before your 34th Diet Coke of the morning. Absolutely brilliant! (If not completely unstoppable.)
In the end, the irony is palatable. Our IT Department doesn’t trust employees at an Institute of Higher Learning to think, but it does trust hackers to tell the truth.
The Blog About Fog 