Cardiff Met has gone phishing

By Gareth Johns, Digital Skills Manager

In September 2021 Cardiff Met ran a phishing simulation to raise awareness of phishing and the serious threat it can pose to the cyber security of the university. This brief article explains a bit about the simulation and why we ran it.

First up, what is phishing?

Phishing is a form of social engineering that aims to trick people into disclosing sensitive information or gain access to systems by stealing log-on credentials.

Phishing is by far the most prominent type of cybercrime (FBI report, 2020 p19) and is the number one cause of data breaches (Data Breach Investigations Report, 2020 p.13).

The most common form of phishing attack is email. Attackers will craft an email that will try to get you to click on malicious links or ask for personal information, such as credit card numbers.

What is a phishing simulation?

A phishing simulation is a common measure organisations use to raise awareness of phishing and digital security in general. It involves sending a “fake” phishing email that includes a link. Those who click on the link are informed they are part of the simulation and are asked to complete training.

How did the simulation work in September 2021?

In September of 2021 we used Sophos Phish Threat to send a phishing simulation to all Cardiff Met staff. The email informed staff about a new HR system and asked them to follow a link to activate their account. The link led to the training, but in a real attack it would lead to malicious site that would attempt to harvest personal details or usernames and passwords.

The email was characteristic of a real attack, in that it included:

• An urgent call to action – “you must actviate [sic] your account in the next seven days”.
• A suspicious link – hovering your mouse over the link would have revealed a suspicious link.
• Poor spelling and grammar – the email is not well written and contains spelling mistakes.
• Mismatched email domain – the sender’s domain was myhr-portal.site, which is not a Cardiff Met domain.

In fact, the email was a spear phishing attack. Spear phishing is targeted phishing; attackers use characteristics of the recipient and/or organisation to appear more legitimate. In this simulation you were addressed by your last name and the email referred to an upgrade of the HR system, which actually happened earlier this month.

What should I have done?

If you think you have received a phishing or spear phishing email:

• DO NOT click links in the email or open attachments
• REPORT IT to the IT Helpdesk

A convenient way to report an email to the Helpdesk is to use the Report Message button that is available in Outlook.

Paranoia is the best position, if you are not sure, report it.

Why are you trying to trick us?

Our intention was not to trick you or catch you out, but instead raise awareness and resilience to phishing attacks and improve Cardiff Met’s cyber security.

Phishing simulations and associated training have proven to raise awareness of cybersecurity (Chatchalermpun and Daengsi, 2021), contribute to “cultivating user's resistance to phishing attacks” (Jansson and Solms, 2013) with Gordon et al. (2019) suggesting that the simulation alone (without the training) reduces click rates and thus the threat to the organisation.

How did the simulation go at Cardiff Met?

We will let you know the results of the Cardiff Met simulation, e.g. how many people clicked the link, how many reported the message later this year, so keep an eye on the Insite portal for an article.

References

Chatchalermpun, Surachai & Daengsi, Therdpong, 2021. Improving cybersecurity awareness using phishing attack simulation. IOP conference series. Materials Science and Engineering, 1088(1), p.12015.

Gordon, William J et al., 2019. Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. Journal of the American Medical Informatics Association : JAMIA, 26(6), pp.547–552.

Jansson, K & von Solms, R, 2013. Phishing for phishing awareness. Behaviour & information technology, 32(6), pp.584–593.

Gair i gall am gwe-rwydo

Gan Gareth Johns, Rheolwr Sgiliau Digidol

Ym mis Awst 2021 cynhaliodd Met Caerdydd efelychiad gwe-rwydo i godi ymwybyddiaeth o we-rwydo a'r bygythiad difrifol y gall ei beri i seiberddiogelwch y brifysgol. Mae'r erthygl fer hon yn esbonio ychydig am yr efelychiad a pham y gwnaethom ei redeg.

Yn gyntaf, beth yw gwe-rwydo?

Mae gwe-rwydo yn fath o beirianneg gymdeithasol sy'n ceisio twyllo pobl i ddatgelu gwybodaeth sensitif neu gael mynediad at systemau trwy ddwyn manylion mewngofnodi.

Gwe-rwydo yw'r math amlycaf o seiberdroseddu o bell ffordd ( adroddiad FBI, 2020 t19) a dyma brif achos torri data ( Adroddiad Ymchwiliadau Torri Data, 2020 t.13).

Y math mwyaf cyffredin o ymosodiad gwe-rwydo yw trwy e-bost. Bydd ymosodwyr yn creu e-bost a fydd yn ceisio eich annog i glicio ar ddolenni maleisus neu ofyn am wybodaeth bersonol, megis rhifau cardiau credyd.

Beth yw efelychiad gwe-rwydo?

Mae efelychiad gwe-rwydo yn fesur cyffredin y mae sefydliadau'n ei ddefnyddio i godi ymwybyddiaeth o we-rwydo a diogelwch digidol yn gyffredinol. Mae'n cynnwys anfon e-bost gwe-rwydo “ffug” sy'n cynnwys dolen. Hysbysir y rhai sy'n clicio ar y ddolen eu bod yn rhan o'r efelychiad a gofynnir iddynt gwblhau hyfforddiant.

Sut wnaeth yr efelychiad weithio ym mis Awst 2021?

Ym mis Medi 2021 gwnaethom ddefnyddio Bygythiad Gwe-rwydo Sophos i anfon efelychiad gwe-rwydo i holl staff Met Caerdydd. Hysbysodd yr e-bost staff am system AD newydd a gofynnodd iddynt ddilyn dolen i actifadu eu cyfrif. Arweiniodd y cyswllt at yr hyfforddiant, ond mewn ymosodiad go iawn byddai'n arwain at safle maleisus a fyddai'n ceisio cynaeafu manylion personol neu enwau defnyddwyr a chyfrineiriau.

Roedd yr e-bost yn nodweddiadol o ymosodiad go iawn, yn yr ystyr ei fod yn cynnwys:

• Galwad frys i weithredu - “rhaid i chi actifadu eich cyfrif yn ystod y saith niwrnod nesaf”.
• Dolen amheus - byddai hofran eich llygoden dros y ddolen wedi datgelu dolen amheus.
• Sillafu a gramadeg gwael - nid yw'r e-bost wedi'i ysgrifennu'n dda ac mae'n cynnwys camgymeriadau sillafu.
• Parth e-bost ddim yn cyfateb i’r un gywir - parth yr anfonwr oedd myhr-portal.site, nid yw'n barth Met Caerdydd.

Mewn gwirionedd, ymosodiad gwe-drywanu oedd yr e-bost. Gwe-rwydo wedi'i dargedu yw gwe-drywanu; mae ymosodwyr yn defnyddio nodweddion y derbynnydd a/neu'r sefydliad i ymddangos yn fwy dilys. Yn yr efelychiad hwn fe'ch cyfeiriwyd atoch gyda’ch enw cyntaf a chyfeiriodd yr e-bost at uwchraddiad sydd ar ddod o'r system AD, a fydd yn digwydd yn ddiweddarach eleni mewn gwirionedd.

Beth ddylwn i fod wedi'i wneud?

Os credwch eich bod wedi derbyn e-bost gwe-rwydo neu gwe-drywanu:

• PEIDIWCH â chlicio dolenni yn yr e-bost neu agor atodiadau
• RIPORTIWCH YR E-BOST i'r Ddesg Gymorth TG

Ffordd gyfleus i'w riportio i'r Ddesg Gymorth yw defnyddio'r botwn Report Message sydd ar gael yn Outlook.

Mae bod yn amheus yn peth doeth, os nad ydych yn siŵr am e-bost, rhowch wybod i ni amdani.

Pam ydych chi'n ceisio ein twyllo?

Nid eich twyllo neu eich dal chi allan oedd ein bwriad, ond yn hytrach codi ymwybyddiaeth a cydnerthedd i ymosodiadau gwe-rwydo a gwella seiberddiogelwch Met Caerdydd.

Mae efelychiadau gwe-rwydo a hyfforddiant cysylltiedig wedi profi i godi ymwybyddiaeth o seiberddiogelwch (Chatchalermpun a Daengsi, 2021), cyfrannu at “feithrin ymwrthedd defnyddiwr i ymosodiadau gwe-rwydo” (Jansson and Solms, 2013) gyda Gordon et al. (2019) sy'n awgrymu bod yr efelychiad yn unig (heb yr hyfforddiant) yn lleihau cyfraddau clicio ac felly'r bygythiad i'r sefydliad.

Sut aeth yr efelychiad ym Met Caerdydd?

Byddwn yn rhoi gwybod i chi am ganlyniadau efelychiad Met Caerdydd, e.e. faint o bobl a gliciodd y ddolen, faint a adroddodd y neges yn hwyrach eleni, felly cadwch lygad ar borth Insite am erthygl.

Cyfeirnodau

Chatchalermpun, Surachai a Daengsi, Therdpong, 2021. Improving cybersecurity awareness using phishing attack simulation. IOP conference series. Materials Science and Engineering, 1088(1), t.12015.

Gordon, William J et al., 2019. Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. Journal of the American Medical Informatics Association : JAMIA, 26(6), tt.547–552.

Jansson, K a von Solms, R, 2013. Phishing for phishing awareness. Behaviour & information technology, 32(6), tt.584–593.