Some 7,000 EUR students received such an e-mail in their inbox two weeks ago. Approximately 10 percent of them also clicked on the malicious link in the phishing e-mail. At least six of them had their student account password stolen.
Some students received an e-mail that appeared to contain an Excel sheet as an attachment. In reality this was no Excel file but a link to a website with an Office 365-like login form. If the students entered their e-mail address and password there on the assumption that they could view the file, the attackers obtained their password. Other students received an ‘attachment’ that appeared to come from the software company Citrix. This deceived the students in a similar way.
E-mail goes viral
Once an e-mail address has been hacked, the contact list is often read to spread the virus further, explained ethical hacker Sijmen Ruwhof, who studied the phishing e-mails at EM’s request. The obtained e-mail addresses were then used again to send the phishing e-mail to other students. The attackers then, presumably accidentally, stumbled across an e-mail list for all students who started studying in 2019. The e-mail then went viral and ended up in 7,000 inboxes. This e-mail list should not have been accessible to everyone and has now been blocked.
‘My laptop warned me’
On the condition of anonymity, one of the students who was victim of the phishing attack told EM what happened. “I received an e-mail from a director of an external organisation where I’d previously worked. That’s why I trusted it. When I tried to open the attachment, my laptop warned me that the link was dodgy. I then quickly closed the e-mail and deleted it.” The student did not enter any account details on a form. The student then received no e-mails for two days before hearing that ‘a huge number’ of fellow students had received the phishing e-mail from the student’s account. It is unclear for which part of these e-mails this student is ‘responsible’.
The student’s name is known to the editors.
The attack took place in the week of 25 October. Rory O’Connor, EUR’s Chief Information Security Officer immediately noticed that a ‘password spraying’ attack was taking place. This is when an attacker tries out the same password simultaneously on many different EUR accounts. Five accounts later appeared to have been hacked. Two phishing e-mails were then sent.
There are all kinds of protections against phishing and EUR uses several of these. EUR uses a system known as Safelinks that should block phishing links in e-mails. And yet, the malicious links slipped through the system. “That’s because these links were not yet known as phishing sites; they were made especially for EUR,” explained O’Connor. “They have now been added to the blacklist by Microsoft and the company that manages the phishing websites has been asked to remove the fake login forms.” If someone clicks on the links now, only an empty page appears.
EUR also uses a so-called SPF record as defence mechanism, stated Ruwhof. “That prevents unauthorised persons from sending e-mails using EUR’s domain. Normally this is possible: the e-mail protocol dates from a time that criminality was not yet an issue on the internet. That’s why hardly any protections are built in. “However, with an SPF record people can e-mail on behalf of EUR, but your spam filter will ensure that the e-mail automatically ends up in your spam folder.”
Another lifesaver could have been multi-factor authentication (MFA), but EUR has not yet activated this for student e-mail. MFA is a protection in which you need to demonstrate, in addition to a password, that you are the owner of the account, for example via a code that is sent to your e-mail or telephone.
This protection is available for researchers and employees, but not yet for students. “That’s a huge group and we need to introduce MFA very carefully,” was O’Connor’s explanation for why this is missing. He could not yet say within which period MFA would become available for students.
According to Ruwhof, it is extremely important that MFA is introduced quickly. “You certainly need MFA on e-mail. If a hacker accesses this, they can often hack into many more of the victim’s accounts.”
As far as O’Connor is aware, EUR is the only university that was targeted. “We always have contact about this via SURF, the IT cooperative arrangement for universities. But nothing was known about this at the other universities. I deduce from this that we stopped the attack in time.”
The university contacted the Rotterdam police cybercrime unit, so that the unit could investigate who was behind the attack. “However, we know from experience that it’s unlikely that we’ll find out,” stated O’Connor.
The motive for the attack is also still unclear. “The attackers focused on collecting login details. As we were able to stop the attack at an early stage, it’s not clear what the attackers were planning to do next.” They could have been planning to obtain sensitive scientific information or an attack with ransomware.
Don’t just click
You can do various things to avoid becoming a phishing victim, explained Ruwhof. “In any event, never just click on a link! First hover over it with your mouse to see where the link leads to. And ask yourself: why have I received this e-mail? It’s so stupid, but just one click can take you somewhere on the internet where you don’t want to be. Then sooner or later you’ll fall prey to criminal hackers.” If you think you’re a victim of this, contact the university service desk, recommended O’Connor. “Then we can act quickly to stop the attack before things get worse.”