October Phishing Challenge: Cybercriminal 101

  Public
By: 
ddevenney

We’ve just completed our October Phishing Challenge and this one was a bit tricky. We left lots of clues that it was a phishing email, but we used some basic cybercriminal techniques to try and get a response. And it worked! Let me refresh your memory. Here’s the email I’m referring to:

Of those who received this email 72 people or 6.52 per cent clicked on the attachment. This was not our best effort, but certainly not our worst either. 

What are those cybercriminal techniques I mentioned? One of the most basic items in a cybercriminal’s toolkit is reconnaissance. In this case we poked around on Crossroads, found an article about the recent Campus Conversation that was focused on sustainability and noted that it mentioned an upcoming plan. Perfect, that’s just want we need to catch people’s attention.

What happened was that people saw “RR University Campus Sustanability Plan report”, recognized this as an important issue and then clicked on the attachment without looking at the clues we’d planted to identify the message as a phishing email. That’s the reaction cybercriminals are counting on.

Speaking of clues, here’s those clues for you in screenshot form:

  • LOTS of spelling mistakes.

  • The email address says the message came from Microsoftdocx.com, not royalroads.ca as you might expect.

  • Note the signature block. Dr. Steenkamp never uses a signature block like this and his title isn’t CEO. As an aside, this signature block was borrowed from an actual phishing email that we received about six months ago.

The BIG Concern

The big concern with this kind of email is that this is how cybercriminals circulate ransomware. Ransomware is a HUGE problem right now with governments and education institutions across North America falling victim to it. For example, see what just happened to the Government of Nunavut.

So what do you do? 

The answer is to take a minute and examine the email. It’s supposedly an internal Royal Roads email, so it should conform to the Trusted Source format. Remember the STOP! THINK! CONNECT mantra we’ve been promoting? If you stop and think about the actual email itself and look at the clues, you’ll see pretty quickly that all is not as it should be. At that point, just delete it. If you’re not comfortable with that action then please reach out. You can talk to a cyber security ambassador, the Help Desk or IT Security.

Overall, how are we doing? We slipped a little over last time, but we’re still doing pretty well. Here are our challenge results over the past year:

The goal is to maintain a click rate below five per cent. We’ve been there in the past and I’m certain we can get there again. 

Every day we in IT receive notifications about new ways of stealing user data, new forms of ransomware, etc., and virtually all of them start with “a user responds to a phishing email”. That is the reason we keep reminding you about phishing emails. You are our best defense against cybercriminals. 

Thank you all for your vigilance.

Remember: STOP! THINK! CONNECT.