Ransomware & HSE

e

It heard the specific inside track of it from a trusted friend whose job is close to the source, so to speak. It went very like this:

In a hospital, the name of which was disclosed to me, an extremely tired and overworked frontline graduate medical worker, between tending to unwell patients, was tasked to go through an absolute mountain of emails which had accumulated in the inbox. With a mind mainly on sick patients ringing bells, in seemingly legit looking email (say) no 25 they clicked a link to accept some supply or other that was expected from some legit company, without hovering over the sender address to double-check. Login details were supplied over the link, and that was it.

No matter how smart or canny one believes oneself to be it can happen if somebody is both very tired & distracted & expected to respond to a large number of things without delay, especially if the phishing email in a way to look immediately identical to legit company. Everybody should get a little education in playing around with source code and making a fake version just to demonstrate how fecking easy it is, if only to make people sit up, take note and be that bit more alert.

Even then humans take occasional short cuts and lose focus when expedience appears to be demanded under duress. Even the best driver will very occasionally fail to indicate ahead of making a turn, and same with checking email senders, particularly when the fake is well executed or as Joe Duffy would put it whether valid or not “…a very sophisticated scam”. I got caught out not long ago right in the middle of travelling in a jeep up a steep bare rock mountain when I clicked on a fake link. I had felt under time constraint, and was not paying full attention. It’s the human factor at play here.

Thats pretty much the story I heard.

I do phishing tests as part of my job, and have in the past created a phish that would trick most people. I did a very good Bank of ireland themed one a few years ago and 95% of the people who opened the email clicked the link and provided their credentials. So I absolutely appreciate it can be hard for users.

I have a few fake Bank of Ireland portals on my phone, so to speak. I asked a relative what they thought of the new Bank of Ireland login screen. She uses AIB so only occasionally would see BOI, who happened to have recently changed their screen appearance. I showed her a screenshot of the old legit screen and my makey-uppy one that claimed “we are making some site changes”, she said “oh the new one is much better, is the other one of your practice fakes?”

Public education is what’s needed as a starting point. Ok, Baz is obliging BOI for a tidy little return. Claire Byrne could devour a segment on her TV show where she gets a complete newbie who had undergone no more than an hour’s tuition, to fake a website live on air, with a minimum of prompting, just to demonstrate that this is within anybody’s grasp to be able to do. Not that I recommend enabling would-be fakers, but they will just find out how to do it anyway, with ease.

Tubridy could set up a slot on the Late Late, but there’s no journalistic wherewithal there. Pat Kenny or Gay Byrne would do something like that were they around these days. Goodness knows Gaybo showed us all exactly how to unroll a rubber before ever there was You Tube.

I hate to say it, and I don’t give credit to the protagonist Duffster himself, but after BOI was featured extensively on Liveline they upped their game immensely. As with Covid, as with everything, public education is paramount and people will take stuff on board that’s communicated effectively. By default people are in stupid mode until they have to be otherwise.

No doubt at all they were lurking and phishing many times over before they found their exploit. Only took one click to do it, though. I’m thinking of my own place of work some years back: there were constant emails where we had to click to make various orders from. At work I wasn’t sitting at a computer all day, I had absolutely tons of tasks to do, practical, online, supervisory, interfacing with public and a lot had to be done on the spot as required.

People who have to multitask are at greatest risk of exploit, they don’t have the leisure of considering each move carefully on the screen, as most moves are made off the screen. In other words, too busy doing their core job.