October 2, 2020

Dear faculty and staff,

We are writing to call your attention to a phishing message incident earlier this week that created several technical issues for a number of faculty and staff at our institution. On Wednesday, hundreds of UO faculty, staff, and students received a phishing message that mimicked official university communications.

We wanted to follow up with details about who was affected by this, what we're doing to protect you, and how to get help if you experience any issues.

Overview of the Phishing Attack

The UO Information Security Office has identified one student as "patient zero." That student's account was compromised by cybercriminals and then used to send the phishing message to other people within the UO community.

The phishing message closely imitated the university's official "COVID-19 Update" messages. It contained a link to a phony website that mimicked our UO Webmail login screen, trying to trick people into entering UO credentials.

About 10% of recipient accounts have been treated as compromised because we have seen evidence the recipient clicked a malicious link within the message and may have entered their credentials.

• Number of message recipients: 675
  • Faculty: 69%
  • Non-faculty (mainly staff): 31%
• Number of accounts considered compromised: 65

The incident is now generally contained due to the quick response of the Information Security Office, other IT staff, and numerous members of the UO community who reported the phishing message.

Our Response

The Information Security Office took several important measures to contain the spread of the phishing message and to limit misuse of compromised accounts.

• Temporarily disabling compromised accounts. This step is critical to prevent cybercriminals from using a compromised account to steal intellectual property, gain unauthorized access to UO systems and data, or even steal money. It also prevents that account from propagating the phishing message. Using alternative contact methods, Information Services worked yesterday to contact the small handful (~15) of people whose accounts remained disabled at that time.
• Removing phishing messages from UO email accounts. This reduces the risk of more people clicking on the malicious link. All of these messages have now been removed from UO accounts. Please note that we can't remove messages forwarded to outside accounts.
• Limiting access to the phony website. UO staff used multiple mechanisms to limit access to the malicious website.

Getting Help

• If your Duck ID account is ever disabled as a protective measure, contact the Technology Service Desk to have it restored. During fall, winter, and spring terms, the Tech Desk offers remote support 6am to midnight every day:
  • Phone: 541-346-4357
  • Chat: livehelp.uoregon.edu
• If you click a link in a suspicious message or enter your credentials on a phony website, please contact phishing@uoregon.edu as soon as possible.
• When in doubt about a message, you can contact the Tech Desk or the IT support staff who support your unit. Please note that your tech support contact points may have changed this summer.

While this week’s incident affected a relatively small number of people in the UO community, it is a reminder that we all need to take safeguards to protect ourselves against cybercriminals who are trying to do damage to universities and other institutions across the globe. A new Around the O story provides tips for steering clear of phishing. If you have any questions, please send them to phishing@uoregon.edu.

Sincerely,

Patrick Phillips
Provost and Senior Vice President

Jessie Minton
Vice Provost for Information Services and Chief Information Officer