Phishing for Credentials
Phishing of all types continues to be in abundance. For this article, I am going to skip the scams that lure people to buy gift cards or that baby grand piano or pay McAfee, Norton, or Geek Squad invoices – all of which have hit campuses around the country. This article focuses on phishing emails that are looking to steal your passwords – also known as credential harvesting. Why is credential harvesting successful, what are the risks to you, and what can you do about it?
Why is credential harvesting successful?
- It appears to originate “in-house.”
The most recent credential-harvesting phishing emails that we have seen start by using an already compromised account. Once criminals can sign into one account, they send phishing emails from an actual “maine.edu” account and not a spoofed account. Emails from a “maine.edu” account seem much more legitimate to recipients. Criminals change email filter settings to hide their nefarious activity from the rightful owner.
- You want to see that content.
Successful credential harvesting emails center around information that recipients want to see, such as payroll or personnel actions. Adding a link that appears to go to a secure document, piques readers’ interest to want to log in. If the document is something familiar to a university user, such as a Google or Microsoft document, it seems more appropriate. Readers are unable to discern that the link doesn’t go to a maine.edu account.
- They Cycle through senders.
Once criminals harvest credentials, they can move from the original compromised accounts to others, keeping one step ahead of reports of compromised accounts.
What are the risks to the university, to other people’s data, and to you?
- You could be the center of a wide-scale breach.
Data that you have access to with those credentials might be stolen. This might include data from MaineStreet, shared drives, or other sensitive systems.
- Your own data could be stolen.
Even if you don’t have access to other people’s information, information about you could be at risk. Identity theft can be lucrative for criminals and difficult for you to unravel.
- Your payroll deposit may be misdirected
It is common for criminals who receive compromised university credentials to use those to log onto employee self-service portals to make changes to payroll deposits.
- Your email account might be used to phish others.
While others may realize that you were compromised, it causes continued havoc. We have seen some compromised accounts being used to phish people at other universities.
What can you do about it?
- Use MFA.
Sign up for Multi-Factor Authentication (MFA). MFA will prevent criminals from using compromised credentials to sign into systems that require MFA. It is easy to sign up and easy to use on your smartphone or through the use of a special token device.
- Don’t Reuse passwords.
Criminals will attempt to use those credentials to sign in to other accounts with similar usernames. They will use those passwords or passwords with variations.
New Training and More Documentation
The Information Security Office has revised the annual compliance training which is now available. You can see that at the UMS Academy in the Infobase system. We also have developed a series of phishing articles in the knowledge base to include some real-world examples of phishing.
A note about MFA Access and Financial Aid
In June, the Federal Trade Commission updated the regulation regarding the Standards for Safeguarding Customer Data which had been established under the Gramm Leach Bliley Act (GLBA). This regulation which applies to student financial aid information now requires the use of Multi Factor Authentication when accessing financial aid information. Anyone having access to financial aid information is required to sign up and use MFA.
The Information Security Office has new information resources available, including a page on remote work and COVID-19 cybersecurity available from the Information Security portal.
Questions? Comments? Contact UMS Information Security at email@example.com.
(Content for this page was provided by John Forker, Chief Information Security Officer)