Are you guilty of having one of your passwords set to “Password123” or something similar? Well you’re not alone. Having these easy to guess passwords is what allowed the Iranian hackers to gain over 13 billion pages of information.
Phishing attacks are becoming inevitable, but as a preventative measure - we need to learn what our risk factors are and make it harder for hackers to log into our accounts.
What Happened with This Phishing Attack?
A group of nine Iranian Nationals from Madina Institute in Iran hacked into thousands of accounts stealing over 31TB of information, which is over 13 billion pages of information ranging to about $2 billion worth. To put in perspective, that’s three times the amount of information in the Library of Congress.
Arun is a cybersecurity expert. Learning that this cyber hack has been going on since 2013, he knows that there have been more accounts that have been compromised that weren’t revealed yet. “There’s probably more data that was stolen, than what was recorded.” he says.
The nine Iranians were accused and charged for the hacking of over 8,000 accounts, working under the Islamic Revolutionary Guard. They targeted universities, private sectors, and NGOs. This was all due to the lack of complexity when it comes to passwords, the neglect when opening emails from unknown senders, and the ease of access when an account is compromised.
How Can We Stop This?
Universities are going through phishing training, user education, awareness campaigns, and asking students to report what looks like phishing attacks.
But it comes down to the fact that people aren’t paying attention anymore. We are living in a fast paced society, and most of the time when we read our emails, they are on our phone, while we are multitasking. We may open links, or put in passwords to sites that aren’t reliable, because there isn’t a cognitive awareness to the one task.
Hacking isn’t going away any time soon, but we need to prepare. Students and faculty members are said to be the easiest of targets. So universities are starting to create layers in their divisions so that not everyone has complete access to everything; this is called sandboxing. So if an account is compromised, the hacker will have limited access. However, hacking doesn’t only occur through work emails, it can also happen through personal accounts in order to gain access to other’s emails.
Even though sandboxing and training is important in the fight against phishing; that’s not enough to prevent it. We have to take a look at our risk factors.
Arun hosted a Blackhat webinar that shows how effective training really is with real time data from different companies. Corporations are training their employees to see if they fall for the email phishing and retrain them if they do fall for it multiple times. This is to learn what their risk factors are. The cruel honesty is that we are the problem, and that we need to identify ourselves as risk factors.
Who Is To Blame?
It’s easy to play the blame game, but we need to own up to our problems and be ashamed that it happened to us, so that we can learn not to do it again and prevent phishing attacks from happening.
We need to identify ourselves as risk factors like we do with our credit score. How strong is our passwords, how strong is the security, and how aware are we.
This can happen to anyone, a colleague of Arun’s that trains in cybersecurity accidentally fell for a phishing attack. All the training that you may learn may go out the window when fear comes into play. He thought that he was compromised and went through the steps to reassure his security, only to find that he did it through a company in India that was the scammers themselves. They played into his fear, and he played into their hack.
We can locate and shut down all these hacker shops and storefronts, but as soon as one goes down, another tends to rise just as quickly.
We need to be vigilant and observant of what we open, what level of risk we are, and how secure our data is.
Stay safe out there.