Action Needed: Help Us Trace COVID-19 Exposure
This email below has been confirmed as malicious or fraudulent by the Information Security department. If you have received this phishing email, do not open any attachments or follow the link(s) in the message; simply delete the email.A breach occurred at one of the UT Campuses and was the direct result of people believing the Phish was a legitimate request. The breach included gaining the credentials of the targeted employees and even registering the attacker’s phone with Duo. The result of the breach was 3 people had their payroll checks redirected to the attacker’s bank account.
If you see an email similar to the one explained below, report it to spam@uthscsa.edu and delete it or press the Phish button in Outlook to have it automatically reported and deleted.
The screenshot of the original email is posted below, but it is small and hard to read, so I am paraphrasing it here:
I hope this message reaches you in good health. I am writing to discuss a critical health issue impacting our University of Texas community (the exact UT component has been marked out).
It goes on to explain how someone from the staff has a confirmed case of a COVID-19 variant and they would like to do contact tracing as soon as possible to minimize the affect on the community.
They instruct the people to click on a link named Team Member Profiles. The link takes the target to a site where the logon credentials are stolen. The instructions ask the target to use Duo Passcode for their 2nd authentication and this allows the attacker to grab that passcode and logon to Duo to add their own phone to the target’s profile. Once this was completed, they were able to logon to PeopleSoft as the target and approve the Duo authentication with their own phone. They requested a change to their direct deposit and then deleted the email that was sent to the target to notify them of this change.
They use terms like, “Although we have a high rate of vaccination, some variants can still be a risk to those who are vaccinated”, to show this isn’t an alarmist email. They also add in a legitimate email address to make the receivers more comfortable with accessing the link.
