Recognizing incidents | Cyber Safety

This website was set up to help you guard against security incidents. But what constitutes an incident? What do you see as a user, and what do you need to be aware of? This section of the website explains what security incidents are and how you can recognize them. You will also find information on actions to take to reduce the consequences of an incident and when to report an incident.

Infection

The following signs indicate that an incident has occurred, and as a result that your device has become infected:

your device is suddenly very slow;
you get strange notifications;
you see a lot of op pop-ups when surfing;
your device has files you have never seen before;
you have lost files, your hard disc has been partially or completely wiped;
your home page has changed;
your browser has a new toolbar you did not request;
friends and colleagues warn you that they are receiving strange emails from you;
your virus scanner no longer updates or gives obscure error messages.

If one or more of the above signs occur, chances are that your device has become infected as a result of a security incident. Many infections are caused by phishing. If you are able to recognize a phishing attempt, you can avoid many problems yourself.

Phishing

Phishing is a form of fraud on the internet. You can recognize phishing emails by the following tricks:

you are asked to provide personal details;
the message has attachments. Never open files with the extensions .zip, .exe, .js, .Ink, .scr, .jar. Even .docx and .xlsx files can be damaging;
the salutation is impersonal, i.e. ‘Dear Customer,’ or ‘Dear Sir/Madam,’
the sender is unclear, e.g. from a strange or abnormal email address.
the message is sent without any reason and comes unexpectedly;
the email contains a link to a malicious website.

Be aware, not all signs are present in a single email. Criminals are becoming increasingly clever these days and have ways to circumvent the above characteristics.

In addition to these signs, always use common sense when you receive an email. Scammers are becoming increasingly cunning and their emails are starting to resemble legitimate emails.

The University uses MFA to make it harder for hackers to take over an account. Knowing a username and password is no longer enough. But MFA isn't 100% secure either.

AitM (Adversary-in-the-Middle) phishing is an advanced technique that allows hackers to steal not only your password but also your MFA code, thus gaining direct access to your accounts. Unlike traditional phishing, which only steals login credentials, AitM phishing acts as an "intermediary" that hijacks your entire session. This means that even if you use strong passwords and MFA, your security is not guaranteed.

WHAT IS AITM PHISHING?

AitM phishing is a clever form of phishing where hackers literally place themselves between you and the website you're logging into. They do this by using a malicious proxy server that acts as an "intermediary" between you and the legitimate website. This allows them to not only steal your login credentials but also your MFA codes and thus hijack active sessions.

How does it work?

Receiving a phishing link: You receive an email with a link to a fake login page.
Intermediary attack: The fake page forwards all entered data to the real website, including your MFA code.
Session hijacking: The hacker intercepts the authentication information, allowing them to continue accessing your account without further authentication.

The biggest danger? Because the real website is used in this process, you often don't realise that your credentials have already been stolen!

Why is AiTM Phishing so dangerous?

MFA bypass: AiTM phishing can bypass MFA, rendering the extra security layer you've set up ineffective.
Invisible attack: Because the real website is used and sessions are hijacked, you often don't notice the attack.
Suitable for large-scale attacks: Hackers can use automated tools to attack multiple accounts simultaneously.

How to protect yourself

When in doubt about an email, contact the organization who sent you the message, to verify the authenticity of the message. Do not contact them using the information in the email (link/telephone number) but look for the organization’s website yourself and use the contact details you find there.
The Outlook email client on managed workstations offers the possibility to report phishing messages automatically. You only need to click the Report Phish button.
If you don't use Outlook you can report the phishing to CERT-UT.
Did you click on a link in a phishing email and did you enter information? Then do the following:
- change important passwords;
- block your debit or credit cards if you provided information about them;
- notify CERT-UT that you received a phishing email and that you responded to it.

Phishing by phone or in person

Criminals not only use email to infect your computer and/or obtain your data, but they also attempt to do so by phone or in person. In this way, these scammers try to get you to visit fraudulent websites, install malicious software or obtain login credentials. You can recognize a phishing attempt by phone for example by a foreign phone number or the poor English spoken. Phishing attempts in person can be made in various cunning ways, for example, someone posing as a university staff member or student and requesting confidential information from you using a pretext.