Phishing scam combines password theft with Duo verification

Illustration of Duo login on phone

The University of Oregon’s cybersecurity leader urges the UO community to use increased caution with Duo two-step login, particularly before and during the World Athletics Championships Oregon22.

Over a three-day period in early July, cybercriminals used six compromised UO accounts to send more than 65,000 phishing emails to UO students, faculty members and staff.

“We had already put protections in place, expecting to see attacks like these when the world's attention was on the university,” said José Domínguez, interim chief information security officer. "But no matter what, some scams will get through, so each of us still needs to stay vigilant to protect ourselves and those around us."

“We currently have no indications that the compromised Duck ID credentials have been used for anything more than sending phishing emails in an attempt to harvest more credentials,” Domínguez wrote in a July 8 email to the UO community.

Duo login promptWith students now using UOmail, the university’s Duo-protected email system, cybercriminals must now both steal a password and obtain a Duo verification to access the email account of any student, staff member or faculty member.

“This is a cyber-arms race,” Domínguez said. “We implemented Duo to protect our Duck IDs, so now the cybercriminals are getting sophisticated in trying to work around that, and they’ll just always keep trying new things.”

Domínguez’s team has identified several patterns among the recent account compromises. Some victims entered their Duck IDs and passwords in what turned out to be fake login pages, then received verification requests from Duo. In some cases, the victims received multiple Duo verification requests in quick succession.

Most insidious are the fake login pages and sequences that closely imitate what the UO uses.

“Many of us log in to UO services so often that it’s easy for it to become automatic,” Domínguez said. He urged UO students, staff members and faculty members to fight that tendency and make a point of giving their full attention to any login process.

“The only time you should be approving a Duo verification request is when you’re actively logging in to a Duo-protected UO service,” Domínguez said. “Make sure the login page is real, and then make sure you see a Duo prompt on the screen before getting a Duo phone call or push notification.”

People who receive Duo verification requests at any other time should tap “Deny” in the Duo Mobile app or “9” on a Duo phone call. A follow-up step allows the user to report the fraudulent login attempt to Information Services, which helps technology staff stop attacks faster.

Anyone who experiences such an unsolicited Duo verification attempt should immediately change their Duck ID password.

People can report phishing emails through the Report Phish button in Outlook or by emailing phishing@uoregon.edu. More guidance about phishing is available in Around the O.

All UO employees, including graduate employees and student employees, can take the new UO Cybersecurity Basics training to learn more about protecting accounts and devices. Information Services launched the 20-minute online training in May.

To protect phishing victims, the UO Information Security Office will temporarily disable the account of anyone who has clicked a malicious link and potentially entered their credentials. To restore account access, users should contact the Technology Service Desk by phone at 541-346-4357 or by live chat.

People with questions or concerns about cybersecurity can contact the Tech Desk or the IT staff who support their unit.

—By Nancy Novitski, University Communications