Iranian Hackers have attempted to hack into UK universities offering government-certified cybersecurity courses. Students and employees with UK university log-ins were sent phishing emails in an attempt to trick them into giving their passwords. IT security experts commented below.
Dr Guy Bunker, SVP of Products at Clearswift:
“While this is not unexpected, we know that phishing and hacking attacks occur every day of the year, this shows how increasingly sophisticated the attacks are becoming on what might have previously been thought innocuous targets. Students are particularly vulnerable to phishing, especially those who are looking at the next round of education / courses for them to attend. Cyber-squatting on similar URLs has been an issue for many years and shows no sign of abating, despite the known problems and measures to ensure that verified entities are the ones requesting the domain.
As per usual, there needs to be education to the students around the issue – and to be very wary of requests made. Universities should look to subscribe to services around cyber-squatting which watch for similar domain registration to ensure that they are not being faked… as ultimately this will damage their reputations. There is talk of two factor authentication (2FA) for access to university services, with everyone having access to a mobile phone (constantly!), there is no reason not to do this using something like Google Authenticator. Universities are a source of our brightest people and ideas they need to be kept as safe as possible from cyber-attackers.”
Jake Moore, Cybersecurity Expert at ESET UK:
‘Regardless of whether or not these universities were singled out or not, the simple fact remains that phishing emails are still a major threat. People with UK university log-ins were sent phishing emails to trick them into giving up their passwords and I wouldn’t be surprised if a sizable number fell for it. It seems plausible that your university library would email you as a student, direct you to a page and then ask for your credentials. This would indeed be something that the students would be expecting and therefore comply with, especially someone with an untrained eye unaware that the redirected page could be fake. We have to remember that we are human and humans make mistakes. Even cautious people can sometimes click on malicious attachments or links. This is simply because education still isn’t enough and people will continue to be fooled. It’s just that simple.
We need to remind people that even with the best systems in place, simple phishing emails can still get through the net and do some damage. Maybe the universities could implement two factor authentication as another layer of security to help mitigate further attacks so even if the criminals grab hold of the passwords, they would still struggle to penetrate the network.’
Corin Imai, Senior Security Adviser at DomainTools:
“This is a different nation-state tactic than ones we hear about most often. While there’s a plethora of examples of election hacking, disinformation and disruption, attempting to access intellectual property for nefarious purposes could be just as dangerous. The fact that the Iranian nation-state targeted cyber-focused UK university courses indicates this feeds directly into the nation’s cybersecurity strategy; By understanding what students in the West are being taught about cyber, it gains them the upper hand in terms of bypassing the protective efforts. The fact that the Universities were targeted via phishing emails is further proof (if ever proof was needed) that phishing is still an effective method of compromise, and one that the general public still needs to be educated on.”
Maor Hizkiev, CTO and Co-founder at BitDam:
“When receiving an email you didn’t expect, containing a link, it is better if you go to link manually and not by clicking it. Having said that, it is easy to notice the trend in phishing, where the attackers are targeting specific sectors with a common interest, so they can gain the trust of the victims easily. We’ve come to a point where the human eye just doesn’t cut it and only advanced algorithms can flag the bad correctly.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.