The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) has issued a public advisory about recent university payroll theft schemes. The purpose of the advisory is to provide relevant and actionable information for prevention and defense.
Universities and colleges have been targeted by spearphishing campaigns designed to steal user credentials. For roughly the past year, many of these campaigns have used harvested credentials to alter victim’s direct deposit information. Targeted individuals include both faculty and administrators from various departments. Several of the attacks appear to have specifically targeted individuals in university medical and dental programs. These e-mails often use subjects related to salary increases to lure victims into clicking on malicious links.
Subject lines have included:
- Your Salary Review Documents
- Important Salary Notification
- Your Salary Raise Confirmation
- Connection from unexpected IP
- RE: Mailbox has exceeded its storage limit
What Happens If You Click on the Link
The malicious links contained in these e-mails direct victims to webpages controlled by the attackers that look nearly identical to their university’s legitimate login portals. Once the attackers harvest the user’s credentials, the credentials are commonly used to access the victim’s payroll information and re-route direct deposits to a bank account controlled by the attacker. In at least one case, insurance policy information was also changed. The number of personnel targeted in these attacks also varies but reports indicate targets range anywhere from 15 to several hundred. Attacks have been documented at the University of Western Michigan, Boston University, Texas A&M, the University of Iowa, and the University of Michigan.
How to Avoid Being a Target
To avoid being a target, do not click on URLs in e-mails from unknown persons. Contact the Center for Information Technology Services or your IT support persons if you receive a suspicious e-mail. Check with your payroll administrator if an e-mail is specifically requesting that you provide personal information about your pay.