Introduction

For quite some time now, the University of Twente, like many other educational institutions, has become a target of phishing: a practice by which a malicious user send email messages requesting the receiver to state their user name and password. Phishing emails contain various ruses to trick the receiver into passing on this information, e.g., by explaining this is required for increasing storage space or for data migration purposes.

Some such messages are deceptively convincing, as they employ UT-specific

terms (ICTaccount) or seem to stem from UT senders. Many of these emails are sent as spam messages by way of hacked computers. rendering it impossible to trace the original sender. Increasingly, such phishing schemes are perpetrated by criminal organizations based in the Eastern Bloc or China.

Regrettably, UT staff and students sometimes do respond to such messages, stating their user names and passwords, allowing malicious parties to abuse their account, usually to use it to send spam messages from.

Actions taken

Closely cooperating with other universities, in particular with the other 3TU institutes, the UT has taken action to curtail the impact of and trouble caused by such messages.

1.

Preventing messages from reaching the user:
The usual anti-spam measures capture most phishing emails, but not all of them. We set up special filter options to detect and intercept those messages that slip through the usual spam filters. These filters need to be updated regularly to reflect the changes in message content, terms used and reply addresses stated.

2.

Response procedure:
Messages that still manage to slip through the filters can be reported to abuse@utwente.nl or security@utwente.nl. All messages reported are analysed and the filters and blocking measures are updated accordingly. We also verify whether any users have inadvertently responded to the message, as this does sometimes happen. All information provided is shared between the 3TU partners, allowing us to quickly respond to changing circumstances. Because a spammer blocked from accessing the accounts of one university might start attacking another, by responding quickly we can prevent damage done to other universities.

3.

Providing information:
We have provided information on phishing schemes on both the small and the larger scales by dispatching both personalized and bulk email messages to users, and by providing information to service counters and IT support staff. Anti-Phishing (identity theft protection) was also listed as one of the topics of the national higher education security awareness campaign launched in February 2009, in which the UT participates. The UT has opted not to issue a separate security alert message to all users for each wave of phishing attacks, as experience has shown this is more likely to irritate users than to raise their awareness. Moreover, such warning emails generally remain unread: multiple times now, UT staff have responded indignantly to having received a phisingemail, complaining that no warning was provided.

Impact of the actions taken

1.

Filtering:
The use of filters turns out to be highly effective. Batches of hundreds of highly targeted phishing emails are regularly intercepted before they reach a user's inbox. That being said, the effectiveness of this measure is completely dependent on the filters being up to date.

2.

Response procedure:
This procedure works reactively only. First of all, the procedure can only be started up once a report is submitted. What's more, messages sent to a batch of users are often forwarded to various other persons and are only rarely directly reported to system security staff able to deal with the matter.

3.

Providing information:
This measure turns out to not be an effective one. Despite our use of a great many communication channels and despite repeating our warnings, they tend to be regularly ignored until users are themselves faced with a phishing mail, at which point they angrily profess to have never heard anything about it. Yet, we do need to keep providing information and to continue referring users to our existing documentation.

Structural measures

Unwanted email messages will continue to plague us for the foreseeable future. We will be seeing new types of spam, trying to tempt us to visit a website or webshop, usually resulting in our computer security becoming compromised. Only in the more distant future will we be able to reduce the annoyance through the implementation of structural measures. Two developments are currently under way in this connection.

Trusted servers

Both nationally and internationally, trusted server structures are built into email infrastructure as a structural measure against spam. This means that email servers only accept messages from trusted originating servers. It is unlikely that all email servers will start making use of these structures, but the associated trust levels can be used to determine the trustworthiness of an email message (or, in the case trust levels are absent, the lack thereof) and, thereby, used to help determine whether or not the message constitutes spam.

Trusted persons

Another method is to ensure that only email messages from trusted senders can be received and processed. Such a filter can be based on all persons listed in a personal or organization-wide address book. However, this measure is still vulnerable to the use of forged addresses, which are easy to set up and often used. That being said, when trust levels are based on personal digital signatures, the use of trusted person filters provide a good basis for anti-phishing measures, for it allows for the verification of the sender and of the integrity of the received message. However, this practice is at present not being structurally used within the UT.