Multi-stage phishing attack aims to collect credentials and personal information – @theU

The U.S. Information Security Office (ISO) is warning students, faculty and staff of an ongoing, sophisticated, multi-stage phishing attack designed to collect login credentials and personal information from users to potentially gain unauthorized access to university and personal accounts .

The ISO is acting proactively to protect the University’s accounts and resources and has contacted known recipients directly with instructions and support resources.

The phishing attack strategy

• The attacker sends one or more phishing emails with links to websites posing as university websites to collect usernames and passwords. These messages can take many forms, but most are fake job offers. Please visit ISO’s Phish Tank for an overview of current phishing attacks (login required) so you know what to expect.
• The attacker later sends one or more phishing emails to collect personal information via a Google Form. The form asks for your name, phone number, alternate (personal) email address, school email address, current job, citizenship status, and home address. The latest phishing message reads: “This is the last time we will notify you that we will stop processing incoming emails to your school account. This is because you have not verified your Microsoft account, which may result in permanent deletion of your account.” Delete account from our database in the next few hours. Please take a minute to complete our email confirmation below. Fill out the form below.”

Screenshot of Google Phishing Form:

• Using the username and password collected in Step 1 and the phone number provided in Step 2, the attacker sends an SMS or text phishing message asking the user a series of questions to ultimately trick them into signing a Duo -Push to accept notification using two-factor authentication (2FA). This allows the attacker access to the user’s university account – and personal accounts if they use the same password. By accessing a personal account, criminals can steal the user’s identity, take over their bank account, etc.

Screenshot of the phishing SMS:

What to do

• If you have received a phishing email, please delete it.
• If you have received a phishing SMS, please call your central IT helpdesk to report it:
  • Main Campus, 801-581-4000
  • University of Utah Health, 801-587-6000
• If you provided personal information to the scammer:
  • Please log in to CIS, reset your university password immediately, and call your IT help desk to open a “high” urgency ticket with ISO.
  • Reset the password for your personal email accounts and for any personal accounts that reuse your University password and/or your personal email account password.
  • Be on the lookout for text messages purporting to be from the university or a partner company asking you to approve a Duo 2FA push notification and block them. Report them to your IT help desk.
• If you have any questions, please contact your IT helpdesk.

resources