It can happen to any of us … Inside the Deakin University Cyber Attack
I am a cyber security professional and I have been perplexed more than once by messages and emails having links in them. Have you received an unexpected SMS with a link for your pending parcel which almost had you click on it?
We all have been in that position once if we own mobile phone. Often the timings of these unnatural texts are very well planned. Besides being well-timed, they are quite convincing too.
The recent Deakin University breach is just another eye-opener on how things can start with a simple text but can result in substantial financial losses or compromised personal information. The Deakin University example highlights that people can be deceived and provide precious critical and private information and the content of their bank accounts.
Deakin is a very well-known Australian University, located in Victoria which in July 2022 saw the face of a cyber attack which compromised the details of 47,000 students. A hacker accessed a staff member’s username and information which was held by a third-party provider. This provider apparently had previous engagement with the students and had sent text messages to the students in the past. In the attack, 9,997 students received a text message claiming that they had an available parcel and requested to make a customs fee payment.
Once the link was clicked, the hacker could download the contact details of students, accessing names, student IDs, mobile numbers, email addresses and comments inclusive of their recent unit results.
This isn’t the first time a university has come under attack. Earlier in 2021, a cyberattack at RMIT forced the university to suspend new enrolments, classes and defer a planned return to campus for academic staff.
Whom does it affect?
Is it just the company who is breached? Did the incident only affect the university and its current students? No, the companies interacting with that company, including the staff details were affected too.
It is not only the current students who were exposed but the past students’ details were in the hands of the hackers as well.
According to the Australian Cyber Security Centre, the education and training sector is very much targeted by hackers.
What are we doing wrong?
Whenever we learn a new security solution or work on securing an IT environment, we hope we are one step ahead of the attackers. This is unfortunately is true only sometimes. There are five common areas that need attention to stay ahead of cyber attacks:
Take Phishing attempts seriously!
It also goes without saying that attempts like phishing are still not considered a cyber crime. But did you know that phishing is still the number one threat action? Which means that it is actually a very common door to major cyber threats like malware and ransomware.
In phishing attacks, potential victims become actual victims when they are afraid of an email or text because it is from a senior person, and is urgent in nature.
Using your head (not your heart)
Take emotions out of your decision making when it comes to clicking on links and believing texts. Many times people fall prey to fake romantic relationships and texts coming from these individuals.
Treat Cyber Security as an investment not a cost
A lot of the security professionals have single sightedness with focus on few aspects of security. It’s time for us to have a holistic understanding offor cyber attacks and their modus operandi. There is lack of skilled talent and also lack of cyber awareness which makes things harder.
Don’t think it is only an enterprise problem
A very common misconception is that attacks are very complex and happen only against big companies owning millions. However, most of the time it affects people at the granular level of the organisation, which in Deakin’s example was its’ students.
Prioritise Awareness Training
Cyber security enthusiasts are usually tech savvys and technically upskilled. This can result in a lesser priority placed on cyber security awareness training as it is considered non-technical in nature. But Awareness Training is very effective. After all, what is cyber security about? It is not only about securing a team or single company from breaches but also innocent individuals from different backgrounds from being compromised.
What to do?
The biggest reluctancy in cyber security still lies in the perceived costs and complications associated with the implementation of complex cyber programmes.
There is no single medicine to solve your next security threat. It is a constant and mutual effort from the community, as well as the professionals.
Here are some practical tips you should implement:
- Even if you know there is a parcel you are expecting and the message seems 100% genuine to you, always try and check the source of the email or the SMS which has a link.
- Try checking the number and email ids on open source for their genuinity.
- Consider platforms like Knowbe4 which is the world’s largest integrated platform for security awareness training. It is combined with simulated phishing attacks and can help you get the right cyber security awareness training
- Talk security to people who dont know security or who underestimate its actual importance and implications
- It is always better to spend more time thinking before doing it, than spending time regretting it later.
It is interesting how attackers try new ways of tricking the readers of phishing texts, making it harder for security professionals and users to be constantly educated and aware of upcoming dangers.
The Deakin University breach is a classical example of a smishing cyber attack.
Smishing, vishing and phishing are very easy to deploy and lead to very serious cyber crimes like ransomware. The critical part which is common in all these attacks is that they take advantage of the vulnerability of human trust through planned social engineering templates.
Security is not just for the cyber security analyst, security managers or CISOs. It is a lot more than that. In all honesty it all starts with very basic grains of cyber awareness.
One major task of every cyber security professional out there is to implement effective plans and programmes for cyber security awareness amongst teams and the wider population.
Skillfield is an Australian based IT services consultancy company empowering businesses to excel in the digital era. Across our two main practices of Cyber Security & Data Services, our talented and committed professionals provide smart and simplified solutions to complex cyber security and big data challenges.