By SHANNON O. WELLS
Dealing with the aftermath of a recent spate of fraudulent email, or “phishing” attacks, delivered via Pitt’s vast email universe, John Duska, Pitt’s interim chief information security officer, finds tendencies in the University community and beyond both comforting and disconcerting.
“The thing about phishing that is kind of strange, the vast majority of people are good at recognizing it, but the people that aren't good at recognizing it really have a hard time learning how to recognize it,” he said. “And that's just an industry-wide thing for whatever reason. But that's what we hear from other people as well.”
Duska updated the Computer & Information Technology Committee on how Pitt IT has responded to a barrage of phishing attacks — sending fraudulent emails to gain sensitive information — this fall at the committee’s Oct. 27 meeting. Mark Henderson, Pitt’s chief information officer, said he invited Duska because of the quantity and severity of the attacks.
“As many of you are aware, we had quite a number of phishing attacks over the last couple of weeks,” Henderson said. “The initial one was pretty severe, so much that I think 370,000 additional phish were generated as a result of activities that kind of began in the alumni email space.”
The scamming propagated further, leading to more than 100 Pitt community members clicking on phish messages. This led to several IT challenges, including the University being blacklisted by Allegheny Health Network and Highmark, he said.
“(Duska) came to me with a number of recommendations after doing a deep dive on what kind of challenges that we had,” including several with implications for the University and for faculty, in particular, Henderson said.
The initial attack took place Oct. 6, which Duska called “probably the largest phishing attack that we have seen in recent memory.” The attacks compromised 21 Pitt accounts, each of which was used to send more phish, “so it just became a cascading effect,” he said.
“The good news is it wasn't a very malicious attacker (and) wasn't a malicious payload. It was simply to get more people to fall for these phish and to spread more phish,” Duska added. “So that's why it ended up (growing to) 370,000.”
The main concern, however, is a highly malicious payload in the future. “This could be a bad actor testing our response, how quickly phish spread at the University, what kind of success they could have if they were to try to spread ransomware, for example,” he said.
In response, Pitt IT has immediately implemented certain actions and is considering others. Anyone who falls victim to a phish is enrolled in IT’s phish security training, which consists of a 15-minute educational video. They then enroll in a phishing simulation program in which IT sends them “safe,” or simulated, phish as tests for several months.
“That's an exercise to help them recognize phish, and we can track their progress,” Duska said. “Secondly, we enable modern authentication, which is a fancy way of saying multi-factor authentication or a Duo (mobile device app verification) is required anytime a user sets up or changes access to Pitt email on a device.
“Bad actors rely on you not having that. Once they have someone's username and password, they can simply set up an email and send mail on behalf of that user,” he added. “So that's another layer of protection.”
Thirdly, IT has expanded anti-phishing filtering rules to all pitt.edu email, rather just external email. While email-based scams traditionally come from outside the institution, “that's not what we're seeing anymore,” Duska said. “We're seeing the phish originating from pitt.edu. And our traditional email filtering doesn't work that way.”
Previously, pitt.edu emails were excluded from filtering. “If an email originates from someone internally, it looks safer to the computer” when it determines if a message is or is not a phish.
“So we enabled that policy to now consider internal emails just as much a risk as external emails,” he said. “Because again, the bad actors are taking advantage of that.”
Measures IT is considering implementing include:
Limiting emails sent in a timeframe. The current limit is 10,000 emails per day, but Duska asked, “How many people really need to send 10,000 emails a day? If you do need to send a large number email, you probably should be using a bulk email tool such as Campaign Monitor. Otherwise, it's just another risk to us. And that's what allows us to get up to the ridiculously high number (of 370,000 phishing emails).
“That's far more than the number of people or accounts that we have at the University. So that would slow down the proliferation of any type of phishing attack,” he added. “If we come up with, say, even 1,000 emails a day, that would help.”
Auto forwarding restrictions: Pitt allows setting up auto forwarding for all pitt.edu email to an external account such as Gmail or Hotmail. Restricting that to UPMC addresses for dually employed staff would greatly cut down on the success bad actors have with phishing, he said.
Once email is forwarded outside of Pitt, the security team “loses all visibility. If we hear about a phish right now, we can identify it in your mailbox and delete it before you even realize you have it. You won't even have a chance to interact with it,” Duska said.
“However, if you forwarded to Gmail, it's gone from your email address. Your Pitt email account appears in Gmail. We have no ability to recall that bad message from Gmail,” he added. “So we lose insight. We don't know if you've interacted with it on Gmail, and we can’t take any measures to prevent you from interacting with it.”
Reducing active alumni accounts: Duska called Pitt alumni accounts the “single biggest risk as far as phishing goes,” he said, noting that more alumni forward email externally than any other group. “Almost a third of alumni accounts are externally forwarded. Whereas staff and faculty are much lower percentages.”
The almost 3,000 alumni accounts at Pitt don't use multi-factor authentication, and the cost of enabling this feature for that many accounts is “significant,” Duska said.
“So the best course of action here is to at least look at reducing the number of active alumni accounts. Many of them are not being used. And when they are used, they're used just for malicious purposes, to proliferate spam and phishing attempts,” he said, adding that any accounts that are kept should be considered for multi-factor authentication.
Expressing concerns about the per-person cost of the latter, Klaus Libertus, assistant professor of psychology, asked about the possibility of switching from Duo to another provider, such as Microsoft. Duska said it’s possible Pitt could use something like Microsoft Authenticator, “which we already have a license for, for alumni accounts,” he said. “That’ll have to be explored.”
Duska also agreed with Libertus’ suggestion to add a “gaming” element to simulated phishing exercises, to provide an entertaining incentive to participate.
“That is something that we are exploring. We do have the ability,” Duska said. “Our training tool has recently added badges to the training programs. So you can earn badges by completing different training, which touches on that gamification (concept). … And we're also thinking about publishing statistics.
“You could kind of have departments fighting each other, or groups, to see who's the most security-aware,” he added. “Those are all great ideas that we are considering as well.”
In addition to inviting Duska to address the computer committee, Henderson said he has discussed the issue of computer and email security with members of Senate Council and Staff Council, among others, to discuss recommendations.
“We're not going to pull a lever on this tomorrow. And part of our socialization process and soliciting feedback is coming before this group to share with you our thinking and to understand potential challenges that may accrue as a result of implementing these recommendations.”
Shannon O. Wells is a writer for the University Times. Reach him at shannonw@pitt.edu.
Have a story idea or news to share? Share it with the University Times.