This uni thought it would be a good idea to do a phishing test with a fake Ebola scare
- Reference: 1724322733
- News link: https://www.theregister.co.uk/2024/08/22/ucsc_phishing_test_ebola/
- Source link:
The message, titled "Emergency Notification: Ebola Virus Case on Campus," went out to the university community on Sunday, August 18. It began, "We regret to inform you that a member of our staff, who recently returned from South Africa, has tested positive for the Ebola virus."
The [1]message went on to say that the university has initiated a contact tracing protocol and asks message recipients to "Please Log In to the Access Information Page for more details" – the very activity phishing messages attempt to encourage in order to capture login credentials.
[2]
The simulated attack was similar to [3]an actual phishing message sent on August 1, 2024, as shown on the [4]UCSC Phish Bowl , a collection of real and test phishing attempts.
[5]
[6]
But the one sent on Sunday was intended to raise awareness of phishing rather than to actually steal information.
In that, it succeeded. The message prompted the UCSC Student Health Center to publish [7]a notice about a "Phishing email with misleading health information."
[8]
On Monday, Brian Hall, chief information security officer for UCSC, sent out [9]an apology to the university community.
"The email content was not real and inappropriate as it caused unnecessary panic, potentially undermining trust in public health messaging," his missive said. "We sincerely apologize for this oversight."
"Simulated phishing training emails are intended to help people recognize and avoid real phishing attempts, ultimately strengthening our overall security. However, we realize that the topic chosen for this simulation caused concern and inadvertently perpetuated harmful information about South Africa."
[10]Cloudflare calls for regulatory harmonization amid rising internet challenges
[11]Iran named as source of Trump campaign phish, leaks
[12]After nearly 3B personal records leak online, Florida data broker confirms it was ransacked by cyber-thieves
[13]Google raps Iran's APT42 for raining down spear-phishing attacks
The last reported Ebola infection detected in South Africa occurred [14]in 1996 , according to the US Centers for Disease Control and Prevention. In 2014, during what's referred to as the West African Ebola outbreak, 11 people were treated for Ebola in the US, most of whom had been medically evacuated from other countries. Two US nurses contracted the disease treating other patients and both recovered.
"UC Santa Cruz is focused on protecting students, faculty, and staff from malicious emails and other online threats," said Assistant Vice Chancellor Scott Hernandez-Jason in an email to The Register . "In addition to regular cybersecurity training for our employees, our campus periodically conducts simulated phishing campaigns to remind faculty and staff about how to recognize and handle suspicious emails.
[15]
"The email was sent to student employees, faculty and staff, and after it was sent we identified several concerns about the content of the message. As we shared with our campus community, we are working to prevent this from happening again."
In a [16]blog post last year, cybersecurity researcher Marcus Hutchins advised care when simulating phishing attacks. "Phishing simulations run a very high risk of creating distrust and friction between your employees and security team," he wrote.
Several months ago, Google security engineer Matt Linton made a similar point, [17]arguing "the information security industry should move toward training that de-emphasizes surprises and tricks and instead prioritizes accurate training of what we want staff to do the moment they spot a phishing email – with a particular focus on recognizing and reporting the phishing threat." ®
Get our [18]Tech Resources
[1] https://www.reddit.com/r/UCSC/comments/1evao2v/is_this_a_scam/#lightbox
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zsdgo3WlSz1sq7b5zoliOgAAAIY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://its.ucsc.edu/security/images/credharv812024.png
[4] https://its.ucsc.edu/security/phish-bowl.html
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsdgo3WlSz1sq7b5zoliOgAAAIY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsdgo3WlSz1sq7b5zoliOgAAAIY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://healthcenter.ucsc.edu/news-events/news/phishing-email-alert.html
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsdgo3WlSz1sq7b5zoliOgAAAIY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.reddit.com/r/UCSC/comments/1ewfg12/so_it_looks_like_its_realized_their_mistake/
[10] https://www.theregister.com/2024/08/20/cloudflare_harmonization/
[11] https://www.theregister.com/2024/08/20/iran_trump_phishing_attribution/
[12] https://www.theregister.com/2024/08/16/national_public_data_theft/
[13] https://www.theregister.com/2024/08/15/google_iran_apt42_campaigns/
[14] https://www.cdc.gov/ebola/outbreaks/index.html
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsdgo3WlSz1sq7b5zoliOgAAAIY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://malwaretech.com/2023/09/it-might-be-time-to-rethink-phishing-awareness.html
[17] https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html
[18] https://whitepapers.theregister.com/
You and I work for the same place?
"Making people change passwords"
The gift that keeps on giving massive annoyance and weak sequential passwords for no security gain. Debunked many years ago but still forced on us by tick-box warriors. (sorry, touched a nerve)
https://www.ncsc.gov.uk/collection/passwords/updating-your-approach
"Regular password changing harms rather than improves security."
Strong passwords + regular changes required => passwords on post it notes, sure as night follows day.
Idiotic software not accepting a Safari generated password with 128 bits entropy. Because “not save enough” or “too long”. They create security by using 18 random letters instead of the upper/lowercase/special character nonsense.
"Correct Horse Battery Staple"
My place has minimum 20 chars for user passwords now, so we're all encouraged down the "Correct Horse Battery Staple" type of passwords. It took about a monht for people to get used to it but it's proved way more popular and has cut the number of password calls to helpdesk by about 70%.
Re: "Correct Horse Battery Staple"
A minimum of 20 characters offers scope for creative comments about manglment's mental capacity and recent family history.
"Regular password changing harms rather than improves security."
I had a password once ending in 39. Fortunately the software allowed me to use the same very secure password with 1 to 39 added.
Mine had 51. Then they saw the light and accept a longer password with no need to change it.
"tick-box warriors"
The curse of modern civilisation.
Letting them loose on SharePoint administration is especially bizarre - all the native hindrances of shite cloud-shite, combined with an arbitrary and pig-ignorant security paradigm. The only work ever accomplished is by the phishers and data thieves.
I think the main thing that makes people avoid and then give out about these security audits is that it makes them feel and in some cases look.stupid for either getting caught out by what is obvious or being seen forgetting new passwords and having to ask for a reset again. Usually compounded by a general disdain for IT staff even though they keep the place together.
Do not set the fingers in motion before engaging the brain.
Brain ?
BRRAAAAAIIIIIIINNNNN !!
Priorities?
The email content was not real and inappropriate as it caused unnecessary panic, potentially undermining trust in public health messaging," his missive said. "We sincerely apologize for this oversight."
So they are more worried about people's trust in the public health messaging than they are in the universities security.
If they can't simulate messages like this, then I don't see how they will successfully manage to avoid actual phishing emails which are becoming more and more sophisticated.
In our company we are now at the stage where we are doubting even legitimate emails.
Re: Priorities?
What is it with US orgs and poor Phishing awareness schemes.
I received an email from my boss at 3PM offering sarnies for lunch if I clicked on the link.
Said boss was currently dosed up on chemo and probably strong pain killers so wasn't running on Greenwich mean time let alone Eastern Seaboard time.
Re: Priorities?
> we are now at the stage where we are doubting even legitimate emails.
...aaand you're trained. Congratulations, collect your certificate at going-home time. You should doubt all emails initially, and know how to identify the legitimate ones to eliminate reasonable doubt.
Re: Priorities?
To collect your certificate please click on the following [1]link
[1] https://www.youtube.com/watch?v=dQw4w9WgXcQ&pp=ygUjcmljayBhc3RsZXkgbmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXA%3D
Re: Priorities?
“ So they are more worried about people's trust in the public health messaging than they are in the universities security.”
You don’t get it. The risk is that if there’s a genuine health warning people may not take it seriously.
Re: Priorities?
That's exactly what should be happening..
EMAIL CAN NOT BE TRUSTED. Period.
All the attempts to bolt "security" on a fundamentally insecure protocol just don't work. The ones that are technically sound are too complicated for normal users, who can't figure out the difference between a lock indicator on the URL bar and a lock graphic in the web page.
People have to learn that you can't trust e-mail. If a "genuine health warning" is sent out via e-mail and that's the only way it is sent, then the senders need to learn how to do their job properly.
Re: Priorities?
Email is not the proper channel for public health warnings. That'd be what official postings and websites are for.
Re: Priorities?
But remember to send out emails with links to the public posting or website. just to be sure.
Re: Priorities?
We do get it, we get the exact problem they think they have when in fact they already had a problem.
They had already had a genuine phishing email, they told people to never trust email, sent out a fake phishing email, people still trusted the new email as fact and now they're moaning about people might not trust emails as fact.
Now do you get what the core problem is here, it starts with "e" and ends with "l". Email is simply no longer fit for purpose, it's basically useful for sending text informaiton but all the HTML, links, pics and other bollocks they've crowbarred into the specs is now useless as email is still one of the number one initial vectors for scuzzbags to get their claws into your org. No matter how much you beat people with the "DO NOT TRUST EMAIL!" stick they still come back for more punishment by trusting emails and clicking on links, as if there's some sort of prize for how many stupid email links can people click in a day.
Not so many years ago at a university in the UK did our first phishing exercise. I can't remember the text but it would have been along the lines of "funding issue with your fees". The following day HR raised complaints at the highest level and were demanding discipline be considered. Time and time again they were telling us that "lying to students is totally unacceptable" and how the damage done will take many many years to repair. No further exercises were ever run.
Was it sent from a university email address?
It seems you should have talked with HR before that exercise. As a first step you could have sent the scam email with an explanation that it is a scam, plus tips how to recognise this scam. Like “if there was a real problem the email would contain your name. “
I’ve received emails where I didn’t do what I was asked to do, but just replied “this is just what a scammer would ask me to do”. Training is needed that way as well.
Ditto, every email I get in the company that has links embedded and from people as sources, not automated systems I know about, I now just forward them to the HR and Infosec bods as possible phishing scams. They get fed up and keep telling me to stop and say most are genuine, but I simply say "That's exactly what a scammers want you to think!".
As the best sci-fi films often say, "They took an innocent man, trained him and turned him into an unthinking killing machine!", well that's what all the infosec training they make us take every 2 months has done to me, now I don't trust anything and no one!
"Training is needed that way as well."
Especially with marketroids. A metre or so of scaffolding pole would be a suitable training implement.
Works for me...
A few years ago, my employer sent out a fake termination e-mail. "please click on this link, download the forms, fill them out, sign them and take them to HR", something along those lines. I thought it was a brilliant test.
However, I had a new coworker -- very Inexperienced, but smart and trainable and hard-working. i.e., the dream young employee. However, while her experience was measured in months, the rest of us in the team measured our experience in decades. So...not too surprisingly, she had confidence problems. She got the fake termination phish test, and she told us she freaked out. And I fully sympathize.
BUT...you can't take tools off the table. If we say, "We won't train with 'shocking' content", there's how you get get your phish through. Shock them, horrify them, get them to drop their guard...and a-clicking they will go.
Security training needs to be brutal. Two-up bosses telling underlings to do things (and obviously, managers have to learn to accept people questioning their questionable demands). Disease alerts. Termination notifications. Meet the new coworker. Department after-work party. And drop the stupid "misspellings and bad grammar should be your tip-off" b***s***, because if the target is worth the effort, they'll find someone who can write good $LOCALLANGUAGE.
University of California Santa Cruz
That's like Oxford Brookes?
Hey! Just askin.........
"Phishing simulations run a very high risk of creating distrust and friction between your employees and security team,"
In my experience any attempt to implement, highlight or enforce security causes friction, especially with engineers and directors. Make people use strong passwords, making people change passwords, making people use 2FA, workplace audits for post-it-passwords, disabling USB, warnings about stuff on local drives, and so on. I don't see why phishing simulations should be specially different.