Gardiner: Phishing attacks open gateway to trouble

Recently, a mistyped Google search caused me to stumble across this definition:

gate·way drug * noun

noun: gateway drug; plural noun: gateway drugs

A habit-forming drug that, while not itself addictive, may lead to the use of other addictive drugs.

I was specifically researching cyber-threats associated with spam and phishing, since those particular threats seem to be the ones most encountered by our community. Phishing and spam are risks you wouldn’t think the above definition could resonate with, however, the more I reflected on it, the more I connected the two.

Analyzing risk associated with recreational drug use has uncovered an interesting dichotomy. Social norms view addictive drugs differently than non-addictive drugs. However the concept of a gateway drug suggests that some non-addictive drugs should not be viewed in a different light because their end-effects are the same.

Western is interested in spam and phishing for a number of reasons.

Economically, the same infrastructure that delivers your email spends significantly more time dealing with spam than delivering your email. (A conservative estimate suggests no less than 66 per cent more time is spent on spam than legitimate email.) As an Information Age institution, Western possesses great information assets being targeted globally for theft or compromise. So, Western assumes an information security posture on behalf of its community to address this risk.

According to FireEye, an information security company with expertise in email-based cyber-attacks, the North American educational sector is the most-targeted sector by spam/phishing attempts. This concern is not incidental.

As part of its information-security strategy, Western engages its community to bolster its defenses; spam/phishing is the obvious place to start doing this.

Cyber-Security Awareness Month, in October, exposed a community perception that while spam/phishing might be a nuisance, there was doubt it was really a threat. This perception flies in the face of a perception emerging amongst Canadian university information security officers that spam/phishing attacks are often gateway attacks for much more insidious threats.

For example, a phishing attack at Western in September promised some benefit in exchange for proof students were students. Specifically, it asked them for an image of their Western One Card. At least one student had their campus meal plan compromised as a result.

More frighteningly, the FBI reports that American and Canadian university human resources systems are being targeted in attacks designed to redirect faculty/staff pay into accounts students were being tricked to set up as the scammers’ sock-puppets. Such a sequence as this could evolve a harmless spam recipient into an identity-theft victim – perhaps even becoming an unknowing accomplice in a criminal enterprise.

These attacks are continuing and evolving from brute force to surprising sophistication and determination.

Spam/phishing is a ‘gateway’ activity – a nuisance ultimately designed to lead to much more insidious activities. This should be a sobering thought.

But what can Western and its community do in response?

Western is using nearly every tool available to it to stop spammers from reaching our community. However, this effort will never be perfect.

Western’s Cyber-Smart team continues to raise awareness about issues like this in the hopes a healthy dialogue between community members will enhance the people side of security. Last week, you received an email outlining our efforts, as well as perhaps you participated in the ITS-led session on cyber-security at the Western Staff & Leaders Conference. On our website, security.uwo.ca/, ITS provides resources for you to use.

With your added vigilance, we all can be part of the #ProtectU campaign at Western – not only to protect ourselves, but also each other as members of our university community.

Jeff Gardiner is the Central Information Security Officer for Western’s Information and Technology Services (ITS).