By Kasra Zarei
From the 2016 Democratic National Committee email leak to the hundreds of University of Iowa faculty, staff, and students who had their HawkIDs and passwords obtained by unauthorized individuals, cyber-attacks remain a concern on a local and global scale.
Cyber-attacks can acquire personal information in a variety of different ways, including physical devices and email phishing scams. The recent incident at the UI involved the use of unauthorized devices that were secretly attached to instructional computers to capture IDs and passwords.
While the exact nature of these devices is unclear, they are extremely common, said Zubair Shafiq, a UI assistant professor of computer science.
“These USB-based devices have unfortunately been used by students in many universities,” Shafiq said. “These devices can be programmed to do things like keylogging, copying data, and taking screenshots — when plugged in and the workstation boots up, they execute.”
The basic hardware and software needed to steal someone’s personal information can be easy to acquire.
“The commonly used physical devices can be bought from Best Buy, and a lot of the malicious software can be freely obtained through the black market,” Shafiq said.
Email phishing is also very common. It often starts with the victim receiving an email containing a URL that closely mimics an actual website. These emails, although seemingly innocuous, have the potential to steal a user’s personal information.
As an example, suppose the attacker wants to gain access to the credentials of the victim’s Amazon account. The phishing attack may start by the victim receiving a spam email with a URL that supposedly links to a free gift card.
“The URL may look like a legitimate Amazon URL, but actually, it is pointed to a visually indistinguishable phishing website that the victim is forwarded to after clicking on the URL,” said Omar Chowdhury, a UI assistant professor of computer science. “The victim is then asked to log in to their account to redeem the gift card. When the victim tries to log in with their username and password, an error message is shown, and then the victim is forwarded to the legitimate Amazon page, with their login credentials stolen.”
Furthermore, it is often difficult for victims to realize they have been phished, especially when they enter their information on a visually accurate website or they end up on a legitimate web page.
Often, the spelling of the URL also closely resembles that of the actual website.
“This common practice is called domain typosquatting,” Shafiq said. “Hackers will create a URL spelled like the real URL they are targeting and a web domain that mimics the actual website. Recently, this practice has also been used to create fake-news websites like abcnews.com.co.”
For instance, youtube.com may be used in a phishing email to target youtube.com.
“When hackers send out a phishing email, they’re hoping for a decent rate of return of people they can blackmail, even 0.01 percent of users,” Shafiq said.
While humans may be a weak link in the security framework, there are safe practices that can be followed to prevent the threat of cyber-attacks.
“Use and keep up-to-date with modern web browsers, like Chrome, that provide additional security mechanisms, like Safe-browsing application programming interface, that identify sites involves in phishing or malicious activity,” Shafiq said. “These mechanisms use crowd-sourcing technology that consist of many experts that vet websites and classify typosquatted domains.”
When using the web, be sure to look for the site identity button, the padlock that appears in the web address bar that shows up when a safe, authenticated connection is being used.
Web users should also examine websites without clicking on them.
“Hover [don’t click], your mouse over URLs that appear in emails, and carefully inspect the domain at the bottom of the browser pane to see whether you know the URL address,” Chowdhury said.
When it comes to unauthorized physical devices that may pose a threat, be vigilant.
“Any student using a public computer in a lab, common area, or classroom should make sure that there are no devices connected between the keyboard and computer or anything else that looks like a flash drive connected to the machine before even attempting to log into the computer,” said Michael Hendrickson, a systems administrator in the College of Liberal Arts and Sciences.