It Only Takes One Phish: Phishing Attack Results in Network Infiltration, IT Incompetence, and $217,000 in Paid Ransom Fees

Businessman fishing nothing from the cloud with free copyspace-1The recent attack on a Dutch university demonstrates much of what IT organizations shouldn’t do to avoid an attack.

According to Michiel Borgers, Chief Information Officer at Maastricht University, their network was the target of a phishing attack in October of last year that gave cybercriminals access to their network. The attackers “spent the following weeks exploring the systems and gaining credentials to access more secure parts of the infrastructure,” said Borgers. And in December, the university paid a ransom $217,000 to decrypt files.

Sounds like a pretty standard cyberattack story… until you hear all the things that went wrong.

  • Security solutions didn’t stop the phish – even with solutions in place, phishing emails made their way into a user’s Inbox, making the user the last (and, in this case, the least effective) line of defense.
  • Users played the role of the victim - as always, a user was tricked into clicking on malicious content within an email, setting the campaign in motion.
  • IT wasn’t paying close enough attention to detail – after the initial phishing email was discovered and the malicious link blocked, no additional steps were taken to ensure subsequent emails used the same URL and that the university wasn’t under a targeted attack.
  • There were too many alerts – Alert storms are all too common. Too many red flags mean IT teams are paralyzed, not knowing which alerts to follow up on. And with the bad guys apparently moving laterally around the network leveraging compromised credentials over a period of months, there must have been quite a few.

A report on the attack, what should have been done, and what the university plans on doing moving forward was published this month.

The challenges above experienced by the university demonstrate how the problem only gets worse over time. The place to stop an attack is where it’s easiest – when it’s a matter of a single email and a single user. No thousands of potential alerts, no campaigns of emails to deal with… just one user and the decision of whether to click on an attachment or not.

Security Awareness Training is one of the needs outlined in the report. The university sees this training as the key “to reduce the number of successful malicious attempts to attack.”

Lots of things can and will go wrong with IT’s ability to respond to a cyberattack.The one factor that IT generally has no control over is the user.By putting Security Awareness Training in place, IT organizations regain a measure of control by engaging with the user to play a role in organizational security.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe To Our Blog

Nuclear Ransomware Webinar

Get the latest about social engineering

Subscribe to CyberheistNews