Two-Step Authentication Attacks and COVID-19 Phishing Campaigns
As the university continues to address the rapidly evolving novel coronavirus (COVID-19) situation, the Information Security Office is alerting the Stanford community to two-step authentication attacks and phishing campaigns that exploit COVID-19 concerns.
We have begun seeing COVID-19 phishing campaigns, including one on March 9 purportedly from “Stanford Health Alerts” with the subject “Urgent: Corona Virus”, which alone led to more than 150 compromised Stanford accounts. The Information Security Office disabled the accounts, blocked the linked website, posted the message at phishbowl.stanford.edu, and is working to close avenues for future such mailings.
We urge you to be vigilant and forward any suspected phishing messages to email@example.com.
When in doubt about a COVID-19 message from the university, you can confirm official communications by browsing to the main Stanford website and following the "Latest information about COVID-19" link at the top, or by doing a web search for “Stanford Health Alerts” or “Stanford Teach Anywhere”. More generally, if you are ever unsure about an email’s validity, do not click on any links or open any attachments. Instead, use a web search engine or begin with a familiar website to find the referenced information.
We are also beginning to see attacks on the university’s Two-Step Authentication system, where hackers use compromised passwords to trigger two-step prompts in hopes that the valid account owner will mistakenly approve it. Once they have access to Stanford’s systems, they can access sensitive information and send large volumes of phishing messages that, in turn, disrupt email communications and lead to even more compromised accounts.
If you receive an unexpected two-step request, press “Deny” to reject it. Because this may mean your SUNet password has been compromised, you should then change your password via accounts.stanford.edu.
University IT focuses on protecting the Stanford community by building awareness, employing two-factor authentication, offering passwordless logins with Cardinal Key, filtering incoming email, blocking fake login pages, and locking accounts that appear to be compromised. Email security is our greatest challenge and our top priority, and we will continue developing new ways to protect the university as cyber threats evolve.