In the last week individuals at the University of Illinois were targets of sophisticated phishing emails. Given the level of sophistication and corresponding with similar known phishing attacks experience by other Big Ten schools, the Office of Privacy and Information Assurance (OPIA) believes this attack was done in an effort to gather enough information to access University resources and to potentially change personal information, such as payroll direct deposit information. The message was allegedly from "UIUC Human Resources" and directed recipients to a copy of a University of Illinois Enterprise Authentication Login page, but had an additional field for their PIN.
This message did not rely on individuals replying with sensitive information, but instead directed them to a site designed to steal their information. Given the growing trend for these attacks and the likelihood that this will not be the last time we will see an attack like this, as a habit you should check the address bar of your web browser when you are online. You should only enter your University of Illinois username and password on sites that have illinois.edu or uillinois.edu at the beginning of the address. You should never enter sensitive information on a page that does not begin with HTTPS.
What the phishing attack looks like
Click the images to open them in a new window.
The text of the message was relatively plain:
That link that says "Click Here" points to a login page. Here is what the login page should look like:
Here is the fake login page that was provided in the phishing message. If you look, there are signs this is not legitimate.
Signs the login page was fake
- .ru is a Russian domain; this is not a University of Illinois server
- There is no "Your PIN" field on the actual login page
- Your is misspelled as "Youd"
- Only the Login button works, all of the others are just images
What we are doing
In response to this attack OPIA has notified the recipients of this message and is monitoring affected accounts for suspicious changes. In addition to responding directly to this incident OPIA and CITES are working on changes to better protect the University of Illinois and its members.
What you can do
Know what phishing looks like
Know what to do with a phishing message
If you receive a phishing email claiming to be from the University of Illinois you can simply delete it, or you can inform CITES by emailing firstname.lastname@example.org.
Please be aware that the University of Illinois will never ask you to reply to an email with your password or to update account information through email.