Deakin University smishing attack highlights the dangers of just one compromised account

Nearly 47,000 current and past students of Australia’s Deakin University are on the lookout for identity theft after a high-profile SMS phishing incident that highlights the challenges that even the best-prepared institutions face from malicious actors.

The Deakin breach, which was detailed by university technical staff just days after it happened, occurred after a single staff member’s credentials were compromised — allowing an unauthorised person to log onto a bulk-SMS messaging service used to communicate results and other data to students.

That person apparently downloaded the entire database of 46,980 student details including name, ID, mobile number, email address, and special comments including recent unit results.

They then used the service to launch a smishing attack that targeted 9,997 students with a SMS message claiming that they owed customs fees on a parcel. When tapped, the included link sent students to a page that collected personal details, including credit card numbers.

The attack is significant not only for the number of students affected, but because it happened without the compromise of any Deakin systems and the breach of just one staff member’s credentials — bringing to life the bon mot that cybersecurity defenders have to get security right all the time, but an attacker only has to get it right once.

Even as Deakin students reach out to national identity and cyber support service IDCARE to monitor for potential identity theft stemming from the breach, the university reminded students that it will never ask for payment via SMS.

“Malicious attacks are becoming more common place, and more difficult for individuals to detect. However, we must all remain vigilant,” said Deakin in a statement.

“We will continue to take an educative and proactive approach to cybersecurity and continue to strengthen our systems to prevent future incidents,” Deakin said.

How Australia is doubling down on the fight against scams

SMS scams remain a favoured tool of scammers even as telcos tighten the screws to stop them ever reaching their intended targets.

Telstra, for one, recently announced that its newly launched SMS blocking service had stopped 185 million malicious texts since going live in April — which equates to more than 1,400 malicious SMSs blocked every minute — and its scam call blocking feature has blocked over 200 million scam calls since its debut a year ago.

Despite that company’s efforts, however, SMS scams are proving persistent and increasingly effective, The Australian Competition and Consumer Commission’s (ACCC) ScamWatch statistics have shown.

Whereas ScamWatch registered $10.1 million in losses from 67,180 reported SMS scams delivered during 2021, the first half of 2022 had seen 32,700 reports of losses to SMS scams worth $9.1 million — nearly as much as was lost during the whole of last year.

Average losses per reported incident had nearly doubled, from $150 last year to $278 for the first half of this year.

Scams have become far more expensive during 2022 overall, with 12.4% of ScamWatch reports confirming financial losses of $295 million in the first half of the year compared to 8.9% and $323 million in losses during the whole of 2021.

True losses are even higher, the ACCC recently announced, with analysis of over 560,000 reports through ScamWatch and other services confirming that Australians lost over $2 billion to scams last year.

And while many of those scams are sent scattershot to random mobile numbers, the modus operandi of the Deakin hacker stands out because of their abuse of an otherwise legitimate communications channel — and the theft of identity data compounding whatever financial bounty they were able to reap.

The Office of the Australian Information Commissioner (OAIC) recorded 32 separate data breaches involving educational institutions during the first half of 2022 — ranking the education sector fifth alongside insurance — with phishing attacks enabling compromised credentials contributing to 32% of the 464 breaches notified overall.

Education providers were generally the fastest of all sectors to identify and report incidents, with 91% detecting incidents and notifying the OAIC within 30 days, while education was the only sector where there were more breaches due to human error (24) than malicious or criminal attack (7).

When cybercriminals do attack, however, the results can be devastating because the high number of individuals in university communities makes them ripe for targeting by such attacks, Varonis APJ vice president Scott Leach warned.

Australia’s educational sector is routinely targeted by hackers, who know just how much valuable personal data lies within education providers’ databases and the immense disruption they can cause to the public by shutting down systems, Leach said in a statement.

Universities “have hundreds or even thousands of users, and with such a wide attack surface, attackers need to get only one victim to click on a malicious link…. To prevent increasingly malicious and sophisticated cyberattacks, education providers need to be proactive rather than reactive,” he said.