Spear Phishing Attacks

March was a busy month for most of us.  Between the shoveling, and the shoveling, and finishing off with a bit of shoveling, the cyber attackers also found some time to lob a few phishing emails in our general direction.  As an institution, we observed a marked increase in the volume and effectiveness of external phishing attacks over the last 30 days which resulted in an extraordinary amount of users having their passwords stolen.  We observed individuals being targeted specifically in these attempts which is different than the generic phishing emails that we are all used to seeing.  These types of targeted attacks are called “spear phishing”. 

Some of the spear phishing attacks were even sophisticated enough to have researched a victims supervisors or colleagues and attempted to impersonate that individual.  This was done by sending a bait email to the supervisor asking for a benign or simple response.  These responses, if received were used to harvest signature information and any images or phrases commonly used by that individual.  The attackers then created a spoofed email address that closely replicated the appearance of supervisor, with the same name, and possibly even similar email addresses such as sample.user@uelth.ca instead of sample.user@uleth.ca.  Did you notice the subtle spelling difference between uelth and uleth?  Finally, they sent a malicious message to the victim that appeared to be from their supervisor asking the victim to log into what appeared to be a legitimage webpage such as Microsoft, google, or even the University single sign on page.  Unfortunately, these sites were a setup, and the user’s credentials were stolen and then used shortly thereafter to attempt to steal other people’s usernames and passwords as well.

So, how do we recognize the “Red Flags” of a phishing email to avoid being tricked?

  1. If the message seems a little off, ask the person who sent it to you (over phone, or in person) about whether or not they actually sent the message.  The worst thing to happen in that situation is that they will confirm that they actually sent you something.
  2. Pay careful attention to the “reply” email address.  Make sure the “name” of the email account doesn’t lull you into a false sense of security.  If you hit reply, and the email message doesn’t look familiar or legitimate, it’s likely the original message was spoofed and is trying to trick you.
  3. When visiting web pages that are referenced in emails, double check the address bar of your browser to make sure that you really are where you think you should be.  It’s relatively easy for an attacker to copy the appearance of a legitimate web page, but the address bar will always tell you the actual location of where you are surfing.  The University will only ever ask for a username and password from a website that ends in uleth.ca, or ulethbridge.ca.  Even Microsoft and Google return users to our own websites for authentication purposes. 
  4. Be cautious when you receive emails that express urgency or require action in a short period of time.  Attackers will try to create a sense of panic that would cause you to lower your guard against detecting fraudulent activities.

If you come across suspicious emails and would like us to take a look at them, please forward the original message to phishing@uleth.ca.  Our security team will take a look at each submission and let you know if things are amiss.   By submitting you may also help us in identifying institution wide attacks and we can take steps to prevent further compromises.

For any questions or to express concerns, please don’t hesitate to reach out to our offices, as we’re always happy to assist you in keeping safe.