A university professor opens an email from a member of a research group associated with her or his field and grants them access to the team’s latest findings.
But the person on the other end wasn’t a trusted colleague. The email was a fraud, and this hypothetical professor has been duped.
Douglas Jones, a University of Iowa computer-science associate professor, says that’s how a typical spear-phishing attack occurs.
The emails are tailored to the victim, and they don’t seem out of the ordinary.
But while the UI sees thousands of attacks on a daily basis, and phishing is on the rise, only a few of them are spear-phishing.
Phishing deals with attempts to acquire personal information, including usernames, passwords, and credit-card details.Â
Steve Fleagle, the UI associate vice president for Information Technology Services, likened the perpetrators of most of the attacks to criminals walking down the street trying to break into houses.
“… And they rattle every door to see which ones are unlocked,” he said, noting adding that every system connected to the Internet is at risk.
Citing a July 16 New York Times article that details U.S. research universities facing a wealth of cyber attacks, primarily from China, Fleagle said the UI is not among them in regarding to attempted intellectual property theft.
“We’re subject to the same attacks everybody else is, and they are escalating,” said Jane Drews, the UI ITS chief security officer said.
Although unaware of the UI’s Internet security costs because of the distributed nature of personnel who perform related tasks, Fleagle estimated the cost to be in the low millions.
Michael Corn, the chief privacy and security officer at the University of Illinois-Urbana/Champaign, said the school’s new anti-phishing system detected more than 2 million malicious links emailed in a two-week period.
“We’re are basically under continuous cyber attack … [our firewalls] regularly see anywhere from 3 million to 5 million scans looking for vulnerable machines every single day,” he said. He believes that there are successful attacks regularly at every institution.
Jones said crafty attacks are less common, but they do occur.
“Mr. Fleagle wouldn’t see them at all, because they’re coming direct to the researcher,” he said.
Hackers target universities for two reasons, Jones said.
“By necessity, university computer systems are open to huge numbers of people … [and] we have a lot of stuff going on on campus which is genuinely interesting if you’re into industrial espionage,” he said. “We’ve got people doing contracting work for all kinds of proprietary products.”
Drews noted that today, most attackers are looking to make money.
“I do worry that it’s difficult to recognize the clever attacks amongst all the noise from the workaday attacks,” Corn said.
Jones said UI combats the attacks with multifaceted awareness campaigns and a detection system that alerts ITS staff, and successful attacks often go unnoticed until the product appears on the market from a foreign country.
“It used to be that the threats to the campus computer center were mostly students at this university trying to hack into the system for fun, and that’s not true anymore,” he said.