News broke recently of MacEwan University being defrauded of $11.8 million dollars in an online phishing scam. From reports it appears to be a highly targeted con-job that leveraged the same techniques that online scammers do in order to defraud individuals of their bank account numbers. Importantly, the fraud went undetected for a period that started with the first payment on August 10th until the last on August 19th. The good news is that the accounts have been frozen and it appears that the university will not be hit too badly. Still the costs, both out of pocket and in time to deal with the issue, will be high.
How did phishing play a role? From the cited article, it seems like the scammers set up a site and sent highly targeted emails that looked legitimate in order to trick the administrator into changing the banking information for the payee in their accounting system. From a technology perspective this was relatively easy because the university was simply paying expected invoices...but to the wrong account. No need to intercept funds, create fake invoices, install malware, or phish for banking information (like a credit card) that would then need to get through anti-fraud systems.
There are two key observations here. The first is that when these types of attacks occur they typically happen in groups - in this case it is reported that 14 construction firms were impersonated and we assume that multiple Edmonton-area businesses were targeted. It illustrates that fraudsters attempt to execute many attacks in a rapid-fire manner, then take the money and run. The second is that security can only work when it is applied in a defence in depth manner. This defines multiple layers of security that protect the core and each other. Even then, we know that university IT folks spend a lot of time and resources on security and are among the best prepared given their very high risk profiles. Yet still this got through - because in IT, everything eventually fails.
Is phishing the new black?
Over the summer, a lot of high-profile ransomware attacks occurred in Canada and around the world. You couldn't attend a security conference without it being the primary thing talked about. Does this new event indicate a change in tactics that IT professionals need to fear? The answer is not really because a good IT security person should always be in a state of "managed fear". In the family of malware used to attack machines we have viruses, worms, trojans, bots, spyware, adware, ransomware and more. In the tools used to defraud humans we have email, websites, phones, insiders, applications and more. All of these things work together to trick users into doing things they shouldn't and IT plays a role in fraud protection both online and IRL. At minimum we consider these basic tactics a good starting point:
- Application layer security
- Network layer security
- Beyond the network security
- Vendor redundancy
- Hardware redundancy
- Software redundancy
- Participation in security monitoring groups
- User training
CIRA has a role in helping Canadian educational institutions to protect themselves from threats. We have a secondary DNS service to help keep their sites up and running in the event of a DDoS attack, domain locking to help avoid redirection of their DNS and DNS Firewall for traditional phishing and malware. All these services are well connected to their research networks so performance and security is further optimized. Because these attacks occur in groups we also envision that universities could have a shared blocking feature so that when one institution detects a problem and blocks it, others get the benefit of this knowledge. Canadian organizations specific needs tend to get passed-over by global suppliers and we think this focus can help them to better protect themselves.
To learn more about DNS firewall visit the product page.
To learn more or get a demo of the D-Zone DNS Firewall for education please contact us.