UWRF student accounts compromised during J-term phishing attack
February 12, 2020
A phishing email was sent to UW-River Falls students during the month of January that closely resembled a UWRF login page. The email was sent to about 2,000 student accounts and 468 student accounts were compromised.
The email that was sent out by attackers was posed as an email from the financial aid office. The content of the email stated that there was missing information that was needed and a link was available for students to sign into their accounts. The link then opened a page that closely resembled the UWRF login page.
The differences were hard to spot, Department of Technology Services (DoTS) Chief Information Security Officer Ken Ries said. “It was very well crafted.” Ries believed that the email was sent to students over the long break intentionally because this was the best timing for the attack.
“They were aware of the situation, with students being on break and not being on campus as well as having less tech support available during this time.” Ries said.
The attacker is hard to track down in situations like these, so currently there is no evidence of who was responsible for this particular phishing scam. In addition, UWRF was not the only institution that was affected by this scam. Joe Kmiech, CIO and executive director of DoTS said, “This was a very new scam, we were probably one of the first places that was affected.”
Once DoTS was made aware of the situation, they made sure to respond in a timely manner to the attack. Jan. 2 was when the email was sent out to the students, and DoTS received the first notification of the attack around 4 p.m.
Because DoTS has limited hours during break, they were not able to start working on the issue until the next day. DoTS immediately changed the passwords for accounts that were compromised and eradicated the email from all accounts that it was sent to.
The link within the email sent to students led to a scamming login page that was almost identical to a regular UWRF login page. The only differences were in the URL, normally it reads as uwrf.edu, however, this URL read as wlsc.eu, which resembles uwrf.edu.
Since this attack has taken place, DoTS has given students ways to prevent becoming a victim of scammers and phishing attacks. Suggestions included using the two-factor authentication (DUO), which is provided to any UWRF student. Another preventative action is to make sure that passwords are different for all accounts.
DoTS has added a message to login pages that reads, “Please verify the web browser URL of the website is a U W R F dot E D U address before continuing.” This message is in place to encourage students to double check the URL before putting in any information; this action can prevent becoming a victim to a phishing scam.