Tidal wave of phishing sets lure for personal accounts

Illustration of papers flying out of laptop
October 7, 2022 - 6:00am

The day before fall term began, members of the University of Oregon community received more than 50,000 emails with fake job offers, asking recipients to provide a non-UO email address to continue the conversation.

That wave of phishing emails timed at the start of fall term fits a familiar pattern for universities across the country and exemplifies two growing trends noted by UO's Information Security Office.

"Cybercriminals tend to take advantage of times when our routines are disrupted," said José Domínguez, interim chief information security officer. "When the academic year starts. Over breaks. The fall surge actually starts in August, when semester schools start."

A phishing scam attempts to trick the recipient into sharing sensitive information or establishing a relationship with a cybercriminal, who then proceeds to steal money, identities or intellectual property or gain unauthorized access to UO systems and data.

The latest phishing campaign

On Sept. 26, UO faculty members, staff and students received more than 50,000 phishing emails. The messages purported to offer jobs "providing basic admin duties remotely." Recipients were asked to contact a Gmail address and provide their own "alternative" email address.

To distribute the emails, the attacker used a small handful of UO accounts that were already compromised.

The Information Security Office currently has no indications of further account compromises resulting from this attack. However, the campaign was designed to move conversations off UO systems, beyond the scope of UO security measures.

What to look for this year

The recent attack exemplifies two patterns that have become more common in the past year.

First, after stealing a Duck ID password, the cybercriminal triggers a Duo verification request for that account, hoping a distracted UO user will approve the request and unknowingly provide access to their account. The Information Security office first warned campus about that pattern in July.

The only time UO community members should approve a Duo verification request is when they're actively logging in to a Duo-protected UO service.

"If you get a Duo phone call or push notification, take a moment and ask yourself whether it makes sense," Domínguez said. "Even at busy times. Especially then."

Second, as the UO has increased the security of its own systems, cybercriminals seek to lure UO students, staff and faculty members into personal email, text and chat conversations, where UO systems can't track malicious activity, as first mentioned in Around the O last fall.

"The attackers know we can't protect you in systems outside of our control," Domínguez said.

He encouraged people to stay nimble and alert to the constant evolution of such scams.

"We protected our Duck IDs with Duo, we brought everyone onto UOmail and we've implemented many other security measures behind the scenes," Domínguez said. "In response, cybercriminals will keep changing tactics."

How to protect yourself

When in doubt about a message, UO community members can:

The Information Security Office offers the following tips for staying safe from phishing messages:

  • Beware of tantalizing offers. If it seems too good to be true, it probably is.
  • Don't click links in suspicious messages.
  • Don’t share confidential information, yours or the university's.
  • Beware of attachments. To avoid malicious software, or malware, delete any message with an attachment unless you're expecting it and are absolutely certain it's legitimate.
  • Be wary of suspicious emails from UO accounts. Cybercriminals often distribute phishing messages from accounts they've compromised.
  • Confirm identities. Cybercriminals often impersonate schools, financial institutions, health authorities, retailers and a range of other service providers by using official-looking logos and similar email addresses and URLs.

In addition:

  • Deny unexpected Duo requests. If you receive a Duo verification request when you're not logging into a Duo-protected UO service, tap “Deny” in the Duo Mobile app or 9 on a Duo phone call. Then confirm the login was suspicious to alert UO staff.
  • Keep your computer and other devices up to date. Those software and system updates often fix security gaps.

Information Services offers more tips to help determine if a suspicious email is malicious, as does the Federal Trade Commission.

All UO employees, including graduate employees and student employees, also can take the new UO Cybersecurity Basics training to learn more about protecting accounts and devices.

If you’ve responded to phishing

Anyone who has responded to a suspicious email should immediately contact phishing@uoregon.edu and then consider the following next steps, depending on the situation:

  • Entered Duck ID and password on a fake website? Go to Duck ID Self-Service, change password and revise security questions and answers.
  • Entered UO ID number, also known as 95 number, and corresponding password, or PAC, on a fake DuckWeb site? Go to DuckWeb, change the PAC and verify that no important information has been changed.
  • Believe you're the victim of an online crime, such as identity theft? Report it to UOPD at 541-346-2919 or online, no matter how minor it may seem. Identity theft happens when someone steals your personal information, such as your Social Security number, and uses it to obtain credit cards or loans or commit another form of fraud in your name.

To protect phishing victims, the Information Security Office will temporarily disable the account of anyone who has clicked a malicious link and potentially entered their credentials. To restore account access, users should contact the Technology Service Desk by phone at 541-346-4357 or by live chat.

—By Nancy Novitski, University Communications