Texas State’s Information Security Office notified students of a novel phishing scam extending a job offer to students which left at least one student’s account hacked and then used as a source email address to send similar messages to other Texas State victims.
According to Texas State’s ISO, the first Texas State student to be affected was sent a screenshot of the email offering a job from a friend at another university. The friend did not know the email was malicious.
The student applied for the job using a personal email and sent a resume, which contained the student’s personal phone number and Texas State email address. This allowed the hackers to directly contact the student and convince them, after having personal information about them, to send the Duo-Authentication code to their student account through text-message—allowing the hackers full access to all aspects of the account.
According to Texas’s State’s ISO, the attack “has elements of money mule scams, fake login pages, and Duo bypass attempts,” making it one of the most advanced phishing attempts the university has seen so far.
Texas State’s ISO says students should always approach anything which requires them to hand over personal information with a critical eye— even if such requests come from trusted sources.
Other potential victims caught on to the scam attempt and did not give Duo access to the hackers, effectively stopping the continuation of the scam by keeping the hackers out of their accounts.
Texas State suggests the following steps to defend oneself from potential phishing attacks:
- Do not give implicit trust to anything that asks to provide identifying information.
- Make sure job postings are from a legitimate source.
- Never give out NetID and passwords, and consider using LastPass.
- Never give out Duo authentication codes and consider downloading the Duo mobile app.
- If there is a suspicious email in your inbox, forward it as an attachment to [email protected]
- Remember: If it’s too good to be true, it probably is.
For more information on large scale phishing campaigns affecting the Texas State community and how the university community can protect itself, you can visit the Information Security Office’s Phishbowl.
Correction: An earlier version of this story misidentified the Information Security Office as the “Internet Security Office.” It has since been corrected; we deeply apologize for this error.