Anti-phishing e-mail from MIT exemplifies how organizations train people to fall for phishing attempts
The famed research university, the Massachusetts Institute of Technology, would rather spy on its students, staff, professors, contractors and the like than keep them safe from scammers and phishers trying to steal their information.
They sent everyone an e-mail where every link to more information has exactly the kind of URL you should look at and never, not ever click.
On Thu, Nov 3, 2016 at 3:56 PM, John Charles
<jcharles@mit.edu>wrote:____John Charles, Vice President for Information Systems and Technology____ Dear MIT faculty and staff,____ Over the past three years, Information Systems and Technology (IS&T) has taken many steps to enhance the safety and security of MIT's information technology (IT) infrastructure. With guidance from the Information Technology Governance Committee <http://guo7.mjt.lu/lnk/AEsAAD3Qp4QAAUjwukwAAGkNFqYAARpdWWsAGe19AAcwEABYG5ZvLnQ7qMCxRZa5J5emgRbXTwAG2zM/1/cxem2IX1he0hEUqP2yDN-Q/aHR0cDovL3dlYi5taXQuZWR1L2l0Z2MvbWVtYmVycy5odG1s> (ITGC), we have examined how we deliver network services to the community. We have modified practices to establish a higher level of resilience for our network while accommodating the needs of our faculty, students and staff.____ The Information Protection @ MIT <http://guo7.mjt.lu/lnk/AEsAAD3Qp4QAAUjwukwAAGkNFqYAARpdWWsAGe19AAcwEABYG5ZvLnQ7qMCxRZa5J5emgRbXTwAG2zM/2/o10yNgspP3vufm1Ip-I68w/aHR0cDovL2luZm9wcm90ZWN0Lm1pdC5lZHUv> website provides easy access to policies, resources and guidance related to safeguarding sensitive data at the Institute. The site also provides information to help community members protect their own personal data. Resources at the Training <http://guo7.mjt.lu/lnk/AEsAAD3Qp4QAAUjwukwAAGkNFqYAARpdWWsAGe19AAcwEABYG5ZvLnQ7qMCxRZa5J5emgRbXTwAG2zM/3/bnLgHZBxQMAXxrXKD5lAdA/aHR0cDovL2luZm9wcm90ZWN0Lm1pdC5lZHUvdHJhaW5pbmc> tab will help you understand the Institute policies and procedures that need to be followed to comply with local and federal legislation related to data protection.____ Additionally, the Tools <http://guo7.mjt.lu/lnk/AEsAAD3Qp4QAAUjwukwAAGkNFqYAARpdWWsAGe19AAcwEABYG5ZvLnQ7qMCxRZa5J5emgRbXTwAG2zM/4/Yx4ojOr9gwi6xqUH1eKkWQ/aHR0cDovL2luZm9wcm90ZWN0Lm1pdC5lZHUvdG9vbHM> tab lists several software tools and services to help you find, delete, or protect sensitive information. You can keep your machine clean by using the CrowdStrike Falcon anti-malware service; protect your passwords using the LastPass password management tool; find and redact sensitive data using Spirion (formerly Identity Finder); and encrypt your data using FileVault or BitLocker. All of these tools are available to MIT community members at no cost.____ Connect with care – when in doubt, throw it out. This year has seen an increase in phishing <http://guo7.mjt.lu/lnk/AEsAAD3Qp4QAAUjwukwAAGkNFqYAARpdWWsAGe19AAcwEABYG5ZvLnQ7qMCxRZa5J5emgRbXTwAG2zM/5/DgHIAI0wrSWgPXPuP0a1qQ/aHR0cDovL2tiLm1pdC5lZHUvY29uZmx1ZW5jZS94L1NCaEI> emails and ransomware <http://guo7.mjt.lu/lnk/AEsAAD3Qp4QAAUjwukwAAGkNFqYAARpdWWsAGe19AAcwEABYG5ZvLnQ7qMCxRZa5J5emgRbXTwAG2zM/6/0lXuhgkWRoJ6HR_36YCc2w/aHR0cHM6Ly93d3cudXMtY2VydC5nb3YvbmNhcy9hbGVydHMvVEExNi0wOTFB> attacks. Cybercriminals try to infect your device by getting you to click on links within emails. If an email looks suspicious, delete it. These scams provide yet another compelling reason to back up your files using the cloud-based CrashPlan <http://guo7.mjt.lu/lnk/AEsAAD3Qp4QAAUjwukwAAGkNFqYAARpdWWsAGe19AAcwEABYG5ZvLnQ7qMCxRZa5J5emgRbXTwAG2zM/7/CPADlVDA63BiigiFa_KBHg/aHR0cDovL2lzdC5taXQuZWR1L2NyYXNocGxhbg> solution.____ Various units across MIT share responsibility for maintaining records and providing oversight. Faculty and staff who create, transmit, or store sensitive data `<http://guo7.mjt.lu/lnk/AEsAAD3Qp4QAAUjwukwAAGkNFqYAARpdWWsAGe19AAcwEABYG5ZvLnQ7qMCxRZa5J5emgRbXTwAG2zM/8/4pBSuyrcmaNH8Wf8wZ-W5Q/aHR0cDovL2luZm9wcm90ZWN0Lm1pdC5lZHUvd2hhdC1uZWVkcy1wcm90ZWN0aW5n>` can learn best practices by watching a series of brief videos <http://guo7.mjt.lu/lnk/AEsAAD3Qp4QAAUjwukwAAGkNFqYAARpdWWsAGe19AAcwEABYG5ZvLnQ7qMCxRZa5J5emgRbXTwAG2zM/9/nzkbgshMiPcdv5E0jXF9sw/aHR0cDovL2luZm9wcm90ZWN0Lm1pdC5lZHUvdHJhaW5pbmc> on desktop, Internet and data security. David LaPorte <mailto:dlaporte@mit.edu>, who directs IS&T’s security programs, is available to answer specific questions or offer guidance on recommended training.____ Sincerely,____ John Charles____
One of the very links in this e-mail hidden behind the ridiculous guo7.mjt.lu domain (but which redirects to content from the MIT page http://kb.mit.edu/confluence/pages/viewpage.action?pageId=4266056 ) has this advice for spotting the danger of a phishing e-mail:
“Includes a hyperlink that has an odd looking URL (for instance with a foreign country as the domain, or trying to match a legitimate web address but spelled differently)”
I didn’t realize we’re dealing with the Vice President for Information Systems and Technology. They really do have to be made to understand that they are teaching people to fall for phishing e-mails by not using at least an MIT domain tracking/redirect service instead of guo7.mjt.lu — it’s foreign and it looks like it’s trying to impersonate MIT. It is exactly what their own advice says is a warning sign for a phishing e-mail! And then when they say just kidding, trust it when it’s from us, all their advice is worse than wasted, and some nuclear-security-clearance researcher at MIT is going to accidentally give secrets to the Russians before Trump does.
(Narrator: It was not possible to make MIT understand how wrong it is to send e-mails like this.)
Dear John Charles, I was hesitant to click on the CrashPlan link because when I moused over it showed a strange link that I did not trust.
Is there a way to easily ascertain its veracity?
Response (from David LaPorte <dlaporte@mit.edu> )
Thank you for the feedback and for your keen eye. The links in this communication were instrumented for analytical purposes, for us to better understand how well the email was received and if any of the included links were explored. All links in the email are safe to click on – thank you again for your concern and caution!
So i repeat: Massachusetts Institute of Technology would rather spy on people than help keep them safe from scammers and phishers trying to steal their information.