In July 2017, I received an email from a professor reporting a spear phishing attack against Ryerson. He was one of the 500 people targeted with a message asking them to log in to a Ryerson site that wasn’t actually set up by Ryerson. The attacker had created a copy of the RMail login page on their own server so they could capture Ryerson usernames and passwords.
While the attacker sent the message to 500 people, only the 14 people who were using RMail ended up with the message in their inbox. The remaining 484 active accounts were all on Gmail. Google’s email filters correctly identified the message as a phishing attack and diverted it to their spam folder.
CCS’ response to the spear phishing attack
In response to the attack, Computing and Communications Services (CCS) blocked access to the attacker’s website from Ryerson’s network. We also detected that seven people visited the malicious site. Eventually, CCS contacted the 14 people who received the email with information about what to do if they had entered their Ryerson password on the fake site.
Overall, had all the recipients been protected by Gmail, the risk of compromised accounts would have been much less and CCS’ follow-up work would have been unnecessary.
Phishing and malicious link alerts
Gmail not only diverts phishing messages into your spam folder, but also inserts a warning and removes the malicious link to prevent you from clicking on it.
Here’s an example of a phishing email received in a Gmail account in January 2018:
For comparison, this is the same message as received in an RMail account. Notice that hovering over the malicious link shows it leads to the attacker’s server and not to a Ryerson site:
Despite significant effort by CCS to improve RMail’s security, it’s been difficult to match it with Gmail’s ability to detect malicious email attachments. Google’s anti-malware system automatically runs many types of executable files and allows the code to execute inside simulated PC and Mac environments.
Running these files allows Google to detect malware without relying on file signatures which only works if there is a match to a specific malware type. CCS has attempted to set up a similar service for RMail but doing so caused long delays in delivering email and was less effective at detecting evasive malware than a similar cloud-based service.
Two-factor authentication compatibility
RMail does not work with Ryerson’s two-factor authentication system as the software used to provide the RMail service does not support Ryerson’s Central Authentication Service (CAS). CAS is the system you use to log in to the my.ryerson portal and systems like Gmail, Google Drive, eHR, D2L Brightspace and RAMSS amongst others.
Since CAS is also the system that provides two-factor authentication, the same issue does not exist for Gmail, which works with CAS. To increase RMail’s security, we’re investigating requiring RMail users to log in to one of our firewalls using two-factor authentication before logging in to RMail. While the two logins may be a hindrance to RMail users and would require additional work on CCS’s part, at least RMail accounts would be better protected.
Operating on a global scale
Overall, Gmail is much more secure than RMail and other locally-hosted solutions. Part of the reason for this is due to Google’s ability to operate at a scale that allows them to detect and respond to attacks quickly and effectively.
At the 2018 Google Next conference, Google announced that they:
- support 1.4 billion monthly active Gmail users, including 80 million students;
- stop 99.9 per cent of spam and phishing attacks; and
- block 10 million bad messages per minute.
Why does this matter?
Occasionally, someone will tell me none of this really matters because they aren’t going to be fooled by phishing attacks and know better than to open most attachments. I wish that’s all there was to it. The truth is that RMail is a security liability.
Compromised RMail accounts can be used by attackers to send very convincing phishing and other malicious emails to other people at Ryerson. Those emails can be injected into existing email discussions and will deceive just about everyone. This phishing technique has been successfully used at other universities to compromise accounts as part of payroll diversion attacks.
Seven years ago, running RMail in parallel with Gmail didn’t seem that risky. CCS already had in place both open source and proprietary spam and attachment filtering systems that worked reasonably well. But a lot has changed since then—the internet has become an increasingly hostile place. RMail has fallen behind and we don’t have the capacity to protect it in the same way Google can protect Gmail.
Of course, there is much more to Gmail security so I have provided references for those who may be interested.
- Electronic Frontier Foundation’s Encrypt the Web Report
- New Built-In Gmail Protections to Combat Malware in Attachments
- Understanding differences between corporate and consumer Gmail threats
- Protecting You Against Phishing
- A reminder about government-backed phishing
- G Suite Security and Trust (Scroll down to get to the content.)
Readers may also be interested in our first blog post for this consultation, “Is it time to shut down RMail?”.
Chief Information Officer
This blog post was originally communicated via email to Ryerson students, faculty and staff currently using RMail.