TSUNAMI of Emails

November 8, 2019

Security awareness is a very important component of the University’s IT strategy. Every year October is celebrated as “Cyber Security Awareness” month. However, cybersecurity is not just a one-month thing - we have to be diligent and aware all year long to remain cyber secure.

During the month of October every year, the Information Security team puts in extra effort to educate the campus community about cyber threats, spread awareness about the impact of these threats, and provide tips on how users can defend themselves from such threats.

This includes:

  • Educating users via a wide variety of communications channels such as email messages, social media, digital signs focused on cyber threats.
  • Organizing the Information Security Roadshow where students and staff members learn about hot topics such phishing, the importance of strong passwords, and device security.

This year as part of our awareness campaign we carried out a three-day simulated phishing campaign against all undergraduate students who have registered for the September 2019 semester. During this exercise, Information Security imitated the behavior of an external malicious attacker attempting to steal University credentials.

Cybercriminals who conduct phishing scams usually tend to pose as representatives of a trusted, well-known organization, and ask for information that will allow them to impersonate their victims. Following the same methodology, we carried out this campaign impersonating the CCS Help Centre.

Have a look at the phrases below. Do they seem familiar?

These are all real samples of phishing messages that were used for this campaign. It was the first time that we conducted a phishing campaign of this scope, thus the code name chosen for this campaign was “TSUNAMI.”


Why Did You Do This?

The overall objective of the Information Security internal phishing program is to provide real-time education on the threat of phishing and to assist the campus community to detect phishing messages. Phishing continues to be one of the major threats to the University of Guelph’s community and every day there are numerous phishing attempts made against staff/faculty/student accounts. They often lure victims to click on links to install malware or trick them into divulging confidential information including passwords, credit card details, and other personal information. Phishing messages will often impersonate somebody that you know and trust, resembling executives or people in positions of authority in hope that their requests will not be questioned.

The exploitation of the human element remains one of the most significant factors in today’s security domain and is exploited exponentially by cybercriminals in phishing attacks (https://www.helpnetsecurity.com/2019/09/10/cyberattacks-human-interaction/). A real-world example is a report that MacEwan University fell victim to a phishing scam in 2017 and lost $10m in phishing scam (https://www.bbc.com/news/world-us-canada-41116177).

To learn about the impacts of phishing, please read this previously published blog post - https://uoguelph.ca/ccs/infosec/phishingimpact


How Did You Do This?

In this exercise, Information Security attempted to simulate as closely as possible an actual phishing attack aimed at students enrolled in undergraduate studies. The tactics and methods used are commonly seen in phishing campaigns targeting the University of Guelph and other higher education institutions.

More than 20,000 phishing emails were sent during the campaign, to full and part-time students. The Information Security team monitored all interactions with the phishing emails – which users opened the message, who clicked on the link, and who submitted credentials. It is important to note that we did not record credentials, only high-level metrics.


Were There Any Signs to Detect the Phishing Emails?

Since this campaign was aimed at creating awareness and educating students about phishing, we did intentionally leave telltale signs of phishing in the hopes that students would pick up on them.
If you didn’t, don’t worry, we will help you.

  • Email Address – We used three different email addresses to run this campaign, all impersonating as CCS Help Centre. So, inspecting the sender's address to match the organization it claims to be sent from would be the first sign of phishing. Why would your IT department sent you an email from a Gmail account or mail account - they wouldn't!

  • Wording – The second sign that students could have picked on, was the use of improper grammar. Phishing attempts often have spelling or grammatical errors. For this campaign, we also made some intentional errors.

  • Sense of Urgency – Typically phishing emails try to create a sense of urgency. We used the same mechanism and created a sense of urgency for the users, prompting them to click on the links. (Password expired, Account Locked or Suspended). 
  • Fake Landing Page – If they didn’t pick any of the above signs, the biggest and the last clue was on the landing page. When they clicked on the link, they were redirected to a fake login page. In the address bar of their browser, they would have noticed that the URL of the page was sso1.identity.uogue1ph.ca and the site was labeled as not secure.
    Please visit https://www.uoguelph.ca/ccs/infosec/evcertificates to learn more.


I did not pick up on the signs and submitted credentials, what now?
Since we did not record the credentials, you do not need to do anything. But I will still encourage you to change your Gryphon login password (it doesn’t hurt, right?)


I want to learn more about phishing

We have a ton of resources available for you to learn more about phishing and other cyber threats. These include:


Always remember, Cybersecurity is everybody's responsibility. It’s a shared job and we all need to play our part in order to reduce the impact of phishing attacks. By learning how to spot a phishing message, reporting fraudulent emails, and always practice safe e-mail and web browsing behaviors, you can help us improve our controls.


Written by: Satnam Deol (Cyber Security Analyst, Information Security)