April 2023 Safe Computing

PAGE CONTENT

Sophisticated Phishing Attacks Aimed at Your Pay – Multi-Factor Authentication Can Help

In the past months, the Information Security Office has seen an uptick in the number of phishing emails that are targeting employee’s credentials for the purposes of redirecting employee’s payroll deposits. This article will explain how they work.

Phishing Content.  Any phishing email that can entice people to provide credentials will work.  These might be sent from a spoofed address or from a temporarily compromised maine.edu account.  See Figure 1 below.

Phishing email example appears to be sent from the Office of the Registrar at the University of Maine.

Figure 1. Phishing Email Example

This recent phishing email was sent to many maine.edu accounts. Targeted at students, it enticed them to view their academic records. In some instances, a compromised UMS account was used to transmit this email resulting in a legitimate maine.edu email address to appear in the “from” section, which added to the appearance of legitimacy.

Attached to the phishing email was a password-protected pdf. This password protection helps bypass certain spam filters and helps to persuade the recipient that the confidential information is being properly protected and suitable to be sent via email. The recipient is directed to click on the link. See Figure 2 below.

Phish Embedded Document with Link shows University of Maine logo and states "This document is protected. Please click the link below to view online" Link reads View Online.

Figure 2. Phish Embedded Document with Link

The spoofed UMS Login page provides a perfect cover to allow the scammer to collect the recipient’s login and password, to be used for stealing University data, and/or to send additional phishing emails. Notice that the URL does not contain maine.edu.  See Figure 3 below.

Look-alike UMS Login page to steal credentials

Figure 3. Password Stealing Look-Alike Login Page

Use of  Stolen Credentials.  In these attacks, the primary purpose is to use the stolen credentials to log onto the MaineStreet self-service module. Finding and using self-service is not a problem for these criminals, who are well-skilled in using various organizational enterprise systems, including Oracle’s Peoplesoft, the underlying program in MaineStreet. Once signed in, the attacker changes the direct deposit account. The account used may be a compromised account from a different scam or an internet-based account such as those from Green Dot Bank.

Timing. An attacker sends emails to employees that coincide with pay cycles. These typically occur toward the end of the month, but not always, as attackers realize that employees may be paid biweekly. The closer an attacker is to changing a direct deposit before pay, the better chance for them to reap benefits before the phishing is discovered.

What you can do.  To keep secure and help limit the effects of this type of phishing, here are actions you can take. 

  1. Use Multi-Factor Authentication (MFA). MFA requires confirmation of log-on using a Duo App on your smartphone or another physical token to sign in. You can sign up for MFA at accounts.maine.edu, the same place you change your UMS Password. Once you have enabled MFA, attackers won’t be able to solely use your username and password to log in to your email, or MaineStreet, as they don’t have access to your device. 
  1. Don’t sign into systems from an email link. If you receive an email that you believe may reference legitimate content, set the email aside and go to your standard login means.  Only trust the way you usually log on, whether that be through the myCampus portal or other means.  This recommendation works in your personal life as well – go to a trusted source.  
  1. Report Phishing. Send an email to phish@maine.edu.  In 2022, 749 individuals reported 1686 receipts of phishing emails.  These reports alert the Information Security Office of phishing activity.  After submission, you will not receive a response unless:  a) you signed into a system from an email link and suspect your credentials were stolen, b) you need help in determining if an email was legitimate, or c) you need other security-related assistance.  The Information Security Office uses all emails sent to phish@maine.edu to investigate and respond to phishing accordingly.

 

Multi-Factor Authentication (MFA) Required for Financial Aid Information

Financial Aid Information is regulated by the Federal Trade Commission (FTC) under the Gramm Leach Bliley Act (GLBA). In December of 2022, the FTC updated the Standards for Safeguarding Customer Information under the Code of Federal Regulation (Title 16 Part 314), which is the implementation of GLBA. The new rule, effective June 9, 2023, calls to implement multi-factor authentication for any individual accessing an information system that contains information about a customer who obtained a financial product or service.

If you have access to any financial aid information, you are required to sign up for MFA. This will require you to use a smartphone with a Duo App or other provided token device to log into your University maine.edu accounts. For information about signing up for MFA, go to accounts.maine.edu, the same place you change your UMS Password.

 

The Information Security Office has new information resources available, including a page on remote work and COVID-19 cybersecurity available from the Information Security portal.

Questions? Comments? Contact UMS Information Security at infosecurity@maine.edu.

(Content for this page was provided by John Forker, Chief Information Security Officer)