Since the beginning of the new year, malicious actors have been obtaining credentials to multiple Indiana University computing accounts through phishing emails sent through IU mail servers to make them appear more legitimate. Once they have access to credentials, the actor will attempt to initiate fraudulent Duo notifications to add a malicious Duo device to the user's profile and gain full access to those IU computing accounts. Below are three common examples of how an actor tries to gain access to legitimate user accounts.
- Random Duo prompt. Attackers attempt to send a prompt with the intention of the legitimate user accepting it without paying attention to the listed location. You should only receive a Duo prompt each time you access a new IU resource, even if you have saved credentials within your browser. Any other prompts should be considered suspicious and reported.
- Passcode phishing. Attackers reach out to users claiming that their account may have been compromised. The bad actor then triggers a one-time text message from Duo containing an authentication code. The attacker will then request that the user reply with the authorization code they received to confirm identity, which can then be used against the legitimate user. IU only allows users to be prompted for Duo passcodes via the IU VPN, anything else should be considered malicious.
- Exhaustion attack. Attackers send a large number of requests in an attempt to annoy the user into accepting one to make the noise stop. It is critical that you do *not* click accept on any suspicious Duo requests, and that you report such activity immediately to the UISO so that they can block this activity.
The tactics used in these attacks highlight the need to remain diligent when it comes to phishing emails and Duo pushes. To ensure the safety of user accounts, the UISO asks users to be suspicious of any email messages that ask for personal information, either by reply or through a website. Be on the lookout for differences between login screens from email links and the legitimate IU Login page.
There are usually differences between a malicious and legitimate IU Login screen,
such as the text location on the Log In button.
Never approve an authentication request from Duo if you did not recently enter your credentials into an IU Login or Microsoft 365 login page. If you receive a push notification not in conjunction with a login you initiated, you should report it directly from your mobile phone in the Duo app by selecting “Deny.” You should also immediately reset your IU passphrase as the presence of the fraudulent Duo push indicates your passphrase has likely been compromised.
Report unexpected push notifications to the UISO. Indicate the approximate date/time of the activity and whether or not you approved or denied the request.
We are grateful for your continued efforts and support to help protect IU.