Staring into the Chasm

As part of my contribution to Cyber Awareness Month (October 2024), I will attempt to explain the reasoning behind the shift of focus that I have given to this blog, and to lay the foundations for the argument that cyber security for the individual, the family and the community, needs to be about more than just awareness. This is informed by several resources, including my own experiences in IT, looking at scam emails, and recent years inside cyber security.

Introduction to the Chasm

Awareness of the cyber divide is an important first step to addressing it. The individual user does have some degree of agency to improve their knowledge and cyber security practices if they are not disadvantaged by the digital divide. Awareness of cyber security risks is only a small part of this, and does not facilitate embedding good practices. As individuals have different preferred learning styles, some people will require more than information and practice to be able to protect themselves.

There are often gaps in services provided by governments or major corporations, where the people who are disadvantaged do not have effective agency to influence or know how they can close that gap. There are similar gaps in society around the use of information and communication technology. Some end users may have a greater opportunity to influence and address part of the gap themselves, but many will need some level of assistance.

Divided: Who, What, and Why?

Within society across Australia, and around the world, there exist a number of gaps in society. These gaps exist in a multitude of aspects of modern life. Life is not fair nor equitable, and it is challenging for governments or other institutions to deliver equity across a broad and diverse community. You may hear about many of these gaps frequently in the media: Gaps in education, gaps in health care, gaps in services like mobile phone reception and internet speeds. The cyber divide is a specific gap in society between those who have an increased awareness and opportunity to develop appropriate practices to combat cyber risks and threats to the security of their personal information, and those who do not.

Since the late 1990's the Australian Government has been aware of a digital divide in Australian society; not all citizens have an equal opportunity to participate in the digital economy. I recall in the early 2000's delivering a very small project to a local migrant resource centre as part of the Federal Government's Digital Divide program. At the time it was identified within Australian society, the elderly, those with English as a second language, and single parents attempting to re-enter the workforce, were groups disadvantaged in the adoption of computers and modern technology, and hence could not fully participate in the digital economy. Government programs were aimed at improving the equity of access to education and the opportunity to apply the learning. This digital divide still exists today with 9.4% of the Australian populace significantly excluded from participating in the digital economy⁴, as identified in the Federal Government's “Australian Digital Inclusion Index (ADII) report for 2023”. The report identifies that a critical issue contributing to this division is the lack of access to resources for First Nations people, and non-First nations people living in remote and very remote areas of Australia. Similar circumstances exist across the globe, with a 2016 World Bank report highlighting the global lack of digital equity.⁶

From my observations, there is another layer to this division in society. It affects many of the same people as the digital divide does. It also impacts many people who are conversant with technological devices but who do not fully understand and appreciate the value and flow of information in large systems that expose users of digital technologies to privacy and cyber security risks. Therefore I feel that there is a cyber divide in Australian society. Whilst this cyber divide shares some characteristics with the digital divide, it is unique from and exists at a different level to the digital divide. With corporate and government business models increasingly moving online, legislation and education are not keeping pace with the risks and protection that all citizens need. Community awareness and capability to take independent responsibility for privacy and personal information security is lacking.

Is the Cyber Divide here to stay?

Good Things Australia, a community organisation, have made the following assessment of the ADII 2023 report on their website: “The Australian Digital Inclusion Index (ADII) shows that while digital inclusion is slowly increasing across Australia, there remains a substantial digital divide in Australia.”⁵ This supports the argument that the cyber divide will continue to exist into the future, and has the potential to become worse. “1 in 4 people in Australia are still digitally excluded (ADII, 2023). People with low levels of income, education and employment, those living in some regional areas, people aged over 65 and people with a disability are at particular risk of being left behind.” This digital exclusion impacts both the awareness of cyber security risks, and the opportunity for individuals to train themselves and develop persistent and effective digital hygiene habits. To use industry jargon, the digital divide prevents some citizens from developing adequate operational security (OpSec). The one small potential benefit for people disadvantaged by the digital divide is that perhaps their limited digital footprint may reduce their exposure to cyber security risks. But this is by no means any form of positive agency for those individuals as it is not something that they can control.

Similarly the pace of change in the information age is outside the influence and control of many people. Governments and organisations alike, seek to cut expensive face-to-face service delivery models in favour of adopting technological solutions. This includes adoption of data science, big data solutions and large-language models/AI, and the adoption of new data retention and management polices amid a dynamic threat environment^7,8,9. This in turn forces those individuals who have the basic requirements to be included in the digital economy to rush to participate at a level that they are not necessarily ready for. A large corporate entity may have a capacity to dedicate small specialist teams to each emerging area of technology. The humble citizen does not have the time nor capacity to devote themselves to such a broad spectrum of knowledge. Just because the individual citizen has the basic computer knowledge, and the basic Internet services to participate in the digital economy does not guarantee that they have the risk awareness and practiced OpSec skills necessary to protect themselves. This heightened pace at which digital technologies and solutions are advancing, is failing to reduce the occurrence and the potential for cyber security risks and threats, and at the same time contributing to an increasing distance between the two sides of the cyber divide.

As a professional in the cyber security sector, I would advocate that you do not need cyber security specific education, or even experience in information technology to be able to develop your own personal OpSec. I would argue however that you do need a level of information technology literacy, and an increased awareness of digital and information-age risks as they are occurring on the world stage. This implies some basic level of education and interest in science, technology, engineering and mathematics (STEM) subjects, combined with life experience [Note: STEM subject knowledge implied only - not mandatory]. Recent statistics (Dept. of Education, STEM Equity Monitor) regards STEM education outcomes at the post-secondary education levels indicates that whilst the number of students enrolling in such subjects continues to increase, the numbers of students completing their studies in STEM subjects through the vocational training sector is declining. When the statistics specific to Information Technology qualifications is considered, the enrolment and completion numbers across university and vocational training sectors has declined from 2015 to 2022^2,3. What this suggests is that the portion of Australia society with the underpinning knowledge and skills required to stay ahead of risks to their personal information may not be keeping pace with technological changes. I argue that this compounds a risk of a prolonged the existence of the cyber divide.

Can the Divide be Bridged?

Government and corporate efforts to address this divide have focused on raising awareness. Awareness about risks works in situations where the individual is already empowered to act upon that awareness. For example, awareness campaigns for the risks of speeding and drink driving work because the individual driver is already empowered to slow their speed and to not drink before they drive (or get a sober friend to drive). As a society we have been collectively driving for many years, and the practice of doing so does not significantly change from the day a person achieves their licence to the day they stop driving. There is still some effort required to develop/maintain good habits to remain safe, but it is relatively straight forward for most people.

Computers, information systems, and the Internet in general present a more complex set of challenges; an environment that can be wild and divergent, and has rapidly changed over the last four decades. If I continued to use a computer in the way that I did over three decades ago when I first accessed the Internet, I would be exposed to very high risk of falling for scams and inducing malware onto my computer on a very regular basis. Over the last three decades, I have continued to make myself aware of the technical changes and the risks and threats that exist on the Internet. Long before I professionally moved into the cyber security field, I maintained my new knowledge by doing my own investigations and adoptions of new/improved practices. Just like when I first got my full driver's licence, I spent time just going for a drive on occasions to help embed the knowledge and skills of driving through experience.

The cyber security industry is strongly aware of the need to take awareness, knowledge and base skills, and turn them into experience and mental reflexes. This is why large corporations, government departments and cyber security firms invest and engage in cyber security exercises and appropriate training facilities (cyber ranges). In fact this is a necessity for continually building knowledge and experience in your cyber security team. But what is being done to boost the basic inoculation effect of awareness within the broader society? Without the opportunity to take simple awareness information and to apply it to a realistic/real environment, can we ever expect the defences and resilience of the general community to improve at the rate that the threats and risks are developing?

Yes, there are many cyber range¹⁰ training options available across the Internet, with some well known names associated; HackTheBox, TryHackMe, and others. However these will always be more readily utilised by a portion of society that is on the advantaged side of the digital divide. Those on the disadvantaged side of the digital divide will not have the same access, and even if technical impediments are removed those users are unlike to immediately have the confidence to engage in such offerings because they do not have sufficient existing digital experience/confidence. But they will nonetheless be exposed to the same risks and threats. Then there are those who are on the advantaged side of the digital divide because of they live in an advantaged geography, or are part of an advantaged demographic, but their confidence and experience is limited to the applications on their devices. They understand email, browsing, and everyday office activities; perhaps even certified in Microsoft Word or Excel. But their knowledge of the systems underneath those applications may not support the full application of cyber security awareness.

An approach to addressing this gap, is to take the cyber-range concept and expand on it, furnishing it with physical and virtual devices. If done right, and targeted at the community level with shared resourcing, this could be used to address the digital divide at the same time as addressing the cyber divide. The concept of “doing this right” would need to include initiatives to address the opportunity for those in the community with limited Internet and digital resources to have regular access to such resources. It will not suffice to tell them about risks and scams and the need to protect themselves, if they do not have the opportunity to apply that temporary awareness and make it more permanent knowledge through experience. This is something that should be included in the mainstream curriculum at all schools, and not just for STEM students. In other sectors of the community, this could take the form of IT/cyber and education professionals delivering government supported programs in less remote areas. Facilitating access for those in the more remote areas of the country could be supported through a fully sponsored outreach program, where a traveling team takes a cyber-range environment to the remote locations to address both digital and cyber experience gaps.

Concluding Thoughts on the Cyber Divide

The cyber divide exists alongside the digital divide, but they do not affect the exact same sets within society. Whilst a user on the wrong side of the digital divide is more likely to be impacted adversely by the cyber divide, there are those in society who are digitally advantaged, and participating in the digital economy, who will fall on the wrong side of the cyber divide if messaging about cyber threats is only an awareness campaign. To understand how cyber threats target information in large systems through technological, process, data, and human elements, requires experience and practice. Without that experience, individual citizens will continue to become dis-empowered toward their own data security, and assuming they are included in the digital economy, many will be at risk of falling behind in their capability to participate securely and with confidence. Without addressing this cyber divide and the underpinning digital divide, the rapid pace of technological change, the race for governments and corporations to digitise services at the cost of slashing their human service elements, all these factors will lead to the cyber divide becoming a wider, deeper chasm in the Australia digital landscape.

I feel that there are further aspects to the cyber divide that warrant deeper attention. Issues of whether those who do not have the opportunity to participate in the digital economy find their privacy and personal data greater or lesser risk of compromise, and whether digital divide dis-empowers them from being in control of their data.

Resources:

1. STEM Equity Monitor - Department of Industry, Science, and Resources, 29 Sep 2024, https://www.industry.gov.au/publications/stem-equity-monitor
2. STEM Equity Monitor - University students in multiple STEM fields of education, 29 Sep 2024, https://www.industry.gov.au/publications/stem-equity-monitor/higher-education-data/university-enrolment-and-completion-stem-and-other-fields
3. STEM Equity Monitor - VET students in STEM fields of education, 29 Sep 2024, https://www.industry.gov.au/publications/stem-equity-monitor/higher-education-data/vocational-education-and-training-enrolment-and-completion-stem-and-other-fields
4. Australian Digital Inclusion Index, 29 Sep 2024, https://www.digitalinclusionindex.org.au/ & https://www.digitalinclusionindex.org.au/key-findings-and-next-steps/
5. Good Things Australia, 29 Sep 2024 https://goodthingsaustralia.org/the-digital-divide/ & https://goodthingsaustralia.org/the-digital-divide/what-is-the-digital-divide/
6. World Bank Group - World Development Report 2016: Digital Dividends, 29 Sep 2024, https://www.worldbank.org/en/publication/wdr2016
7. ABC News - Experts say scammers are getting a leg-up from the system that serves us personalised ads, Ange Lavoipierre, 07 Oct 2024, https://www.abc.net.au/news/2024-10-04/scammers-using-system-for-ads-to-con-australians/104426750
8. ABC News - Australians targeted for cryptocurrency scams by overseas call centres because the are ‘easy prey’, former worker says, Nadia Daily, 07 Oct 2024, https://www.abc.net.au/news/2024-10-07/scammers-are-targeting-australians-in-offshore-call-centres/104406170
9. ABC News - Australia companies are being used in scams and authorities are struggling to catch the culprits, Michael Atkin & Loretta Florence, 27 Mar 2024, https://www.abc.net.au/news/2024-03-27/australian-businesses-used-for-scams-asic-bank-finance/103272682
10. Wikipedia - Cyber range, 08 Oct 2024, https://en.wikipedia.org/wiki/Cyber_range
11. HackTheBox, 08 Oct 2024, https://hackthebox.com
12. TryHackMe, 08 Oct 2024, https://tryhackme.com

Is AI phishing in my Bigpond?

CAVEAT: This post is about a scam email that arrived through my Telstra Bigpond email. This indicates an instance of a phishing email attempting to impersonate the Telstra brand, and the email has successfully made it through the Telstra email filters. Apart from indicating that Telstra's email filters require tuning (an ever present task for any organisation), Telstra is also a victim of this as their brand and reputation is under attack from such phishing campaigns.

It is 2024, yet scam and spam emails are still a significant part of the cyber-threat landscape. And there is still such variation in the email scams that there is always a percentage of them that will make it through well maintained email filtering systems of large organisations. The percentage that do make it through the filters can only be stopped by the awareness, attention, and practices of the end user.

For many years the cyber-security industry has been educating end users on how to spot scams and phishing emails with some simple rules:

• Are the promises of the email too good to be true?
• Is the spelling and grammar of the email wrong?
• Is the sender's email address different to the organisation that they are pretending to be from?
• Hovering over any links in the email, do the URLs fail to match the corporate brand, or do they contain long query strings that might be code?
• Is the email threatening the user with something unless quick action is taken?

Answering “Yes” to one or more of the staple identifiers builds our confidence that the email is a scam or phishing attempt. But now, with the popularity and availability of a number of Large-Language-Models (LLMs), which the popular media is selling as “AI”, and the adoption of such tools by cyber criminals to write their phishing email content, detecting phishing emails has become harder for the end user. Some of the old points to look for are still valid, but others need to be updated.

I will investigate this in the light of a phishing email that I recently received, via my personal Telstra Bigpond inbox. Whilst I cannot prove absolutely that the content of the phishing email was generated by an LLM, I believe the qualities of the email suggest that it likely was generated by such a tool.

Promises to Bait the Hook

Does this email make a promise that is too good to be true?

Knowing the status of my account with Telstra, the immediate subject line of the email does not immediately raise alarm bells. Though it is not entirely comforting, for three reasons:
Passive prose - “You can request”. Perhaps a subtle way of offering something.
Terminology - “refund of your money”. I would expect this to say “refund of payment”.
Past experience - I know from the past where there have been issues with the products or services that Telstra provide, they prefer not to refund, but will happily put a credit on my account as their preferred remediation step.

I suspect that the subject line of the email was written by a human.

Misspelling and Wacky Grammar

Does this email have a stack of misspelled words and poor grammar. No, and that is what leads me to think that this may be generated by an LLM tool.

On the whole, the email is short, succinct and to the point. If this was crafted by a human, the brevity of the text has helped them to avoid translation errors, grammatical errors and misspellings. But it is not perfect.

There are two places in the text that do pique my attention, and both of them exhibit incorrect use of capitalisation;

 

 

Situation Requiring User Action

Yes, this email has a call to action, but it is expressed passively. “To fix that problem, You need to update your information in your account.”

I feel that this is an indicator of either LLM generation of text, or a very smart human operator. They have not actively told the user that they have to fix something. Instead they have suggested that the user could fix something. Why do I feel that this indicates that the cyber criminals are using an LLM? Because active threats and calls to immediate action with unrealistic consequences are the hall-mark of phishing campaigns of the past. This email takes an entirely subtle approach, likely generated by an LLM that has been fed examples of past successful phishing campaigns.

The email suggests that the user needs to fix a problem. It does not tell the user that they need to fix the problem right now. It does not threaten the user with consequences if they do not fix the problem. By taking this approach, this email is more likely to slip under the guard of many users. Even if it is too subtle to actually prompt a percentage of people to take action, it could still be successful with a smaller percentage.

Links and Technical Things

So, the text and general presentation of the email don't clearly identify this as a scam. If I had recently changed bank accounts or recently had some issue with my Telstra account, I might be tempted to follow up by clicking the action button in the middle of the email. But let's check out some of the other details first.

In my email inbox, if I hover over the email in the list, you can see that the sender's email address does not match Telstra's branding. medgasbd.com ≠ telstra.com

 

Within the email, there is the action button, and three hyperlinks that appear to lead to corporate information; contact details, privacy statements and terms and conditions. I do not believe any of these lead to where they pretend to. This can be revealed by hovering over each button/link in turn.

The action button leads to a shortened URL:

 

I attempted to use a couple of services that can reveal the full URL from the shortened URL. Both getlinkinfo.com and unshorten.it were not able to reveal a result. To my mind this suggests that whatever site the action button did lead to, that site has been taken down. Either the cyber criminals were done with it and have moved to a new URL, or law enforcement may have acted against the site.

The ‘corporate’ links - .Contact Us, Privacy, and Our Customer Terms:

 

One immediate visual inconsistency - “.Contact Us” has a full stop at the beginning. Odd.

The expression of terms and conditions as “Our Customer Terms”, is different to what I would expect, but I checked it against known legitimate emails from Telstra, and they do use that terminology.

When hovering over these links, the URLs are revealed. At first look they may be legitimate Telstra links. The concern I have is that the query string part of the URL “?qs=a660bf42ba...” is an encoded string and is not humanly readable. We do not know what it is doing, what the result of clicking on the link will be. However, when compared to the links in a legitimate Telstra email, this is very similar. The “https://click.messages.telstra.com/?qs=” is the same, but the encoded query string at the end is a different value. From this, my thoughts are that these are legitimate links to Telstra, that were possibly copied from an earlier Telstra email that the cyber criminals have found.

Review the Original Source

Most reputable email client applications or web-mail applications like Google's GMail, all have some option for viewing the raw text information behind an email.

Using such features, you can quickly discover further clues that support or defeat the legitimacy/authenticity of the email you have received. The first part to look at is the summary of the email header information.

 

These details make it clear that the sender of the email is not part of Telstra. First the sender email address appears to be timc@medgasbd.com. Second the DKIM (DomainKeys Indentified Mail) has a ‘pass’ result, but is specific to the domain NETORG674477.onmicrosoft.com.

So the sender's email address does not match Telstra, and does not match the domain that they were sending the email from. Further to that, the email domain “onmicrosoft.com” does not belong to Microsoft, and is part of cyber criminal infrastructure that has been in recent use across many phishing campaigns. Definite red flag here.

Scrolling down to the further details, we se a potential reason why the Bigpond mail filters failed to trap this email. Its content is encrypted.

Because of the encryption, the Bigpond mail servers may not have detected the wording in the body of the email, and may have missed the dodgy link of the action button.

The Final Clue - The Big Picture

Sometimes, the best way to determine if an email is fraudulent is to read the whole email. Read all of it, and ask yourself does it make sense. With this specific phishing email, this was actually the biggest and most obvious clue that did not require technical know-how.

In this email there are three elements that are readily visible to the user, and all of them are inconsistent with each other:

• The subject line - the subject line tells the user they may request a refund
• The body of the email - does not mention a refund, but tells the user a payment has failed and that they can fix the problem
• The footer of the email - tells the user “THINGS YOU NEED TO KNOW”, and refers to service and performance related outcomes/limits. This has nothing to do with refunds, nor account details. Perhaps the scammers put this in because the server that they were hosting their dodgy fake-Telstra site from was not very powerful. (Just my speculation)

To my mind, the three pieces of information I've listed above, do not feel like they come from the same email, nor do they belong in the same email. I feel that any well practiced corporate organisation would pick up such issues when they are designing their email templates.

To Recap - Red Flags

This post is longer than what I envisaged, and there is a lot to take in. Some of the elements of the email that we investigated lend some credence to potential authenticity, but I feel that this is truly outweighed by the following red flags that mark this email as a phishing scam:

1. Shortened URL for action button, which appears to no longer be active.
2. Inconsistent content - effectively changes topic and voice in a couple of places
3. Sender email address does not belong to Telstra
4. DKIM domain identifier is clearly not Telstra, and aligns to infrastructure that has been used in other phishing campaigns
5. Capitalisation is incorrect.

In summary, LLMs and AI may be helping the scammers to produce more authentic looking phishing emails. But for now, many phishing or scam emails can still be spotted by a user who is paying attention.

New Year. New Focus. I Want More!

The last five years have passed quick. With lots happening in my workplace, as well as around our property, I have neglected to keep my blogging habits alive.

It is time to turn that around. The IT and cyber security fields move so quick that it is necessary to share information, and  for professionals in industry to give back to their local communities, to ignite the passion in those who may wish to walk the same path in future.

From here forward, this blog has a new title, a renewed focus, and me sharing my passions and learning on my journey through IT and cyber security.

Apart from this post, I have also compiled a new page of resources - I Want To Know More. I hope you find these useful.