You are now in the main content area

How attackers hijack accounts with phishing

October 05, 2017
A closeup of hands holding a smart phone and typing.
The best defence against password phishing and other attacks against your account is to use two-factor authentication.

This is the second article in a three-month series on how attackers hijack TMU accounts. Check out the first article on how attackers hijack accounts using password guessing.

By: Brian Lesser, Chief Information Officer

One of the most effective ways to hijack both personal and TMU accounts is to trick you into giving away your password.

Threatening emails that require immediate action

A simple approach that occasionally still works is to send you a threatening email that requires immediate action. Here’s a sample:

From: university service < uniserviceupdates@gmail.com >

Date: Mon, Jan 2, 2017 at 8:16 AM

Subject: Validate your account

To:

Hello

This e-mail is to notify the students/staff of Toronto Metropolitan University that we are validating emails. To confirm that your account is still in use, send the following information to keep your account active:

(1) Username:

(2) Password:

Failure to do this will lead to a closure of this account.

Thank you,

TMU Mail Administrators.

If we take a closer look, this is obviously fake. The “From” field indicates the sender is uniserviceupdates@gmail.com which isn’t a torontomu.ca email address. So why reply with your TMU password?

No one should ever ask for your password and you should never provide it to anyone - not even if they just need to use TMU’s wifi.

There are always alternatives to providing your password. Visitors from other universities can often connect to TMU’s Eduroam service if they need wifi. The university can also provide guest accounts. If you need to delegate access to your email (external link)  you can do that too.

Entering your information on a fake login page

A more clever way to get you to give up your password is through a fake TMU login page. First, the attacker creates a fake login page on their own server that looks like a TMU login page.

Fake TMU login page

While it may look almost exactly like a TMU page, if you look at the location bar you’ll see this page is not hosted by TMU. It’s hosted on the attacker’s server and is designed to store usernames and passwords that people enter into the form.

Web address bar with fake URL.

After the fake login page is created, attackers will then send fake emails asking you to click on a link that takes you there. The fake emails may claim there is something wrong with your TMU account or that you should click on a link to a confidential document. Here’s a sample of an email sent to TMU accounts leading users to a fake login page.

From: Martin Chénier, Dr. <martin.chenier@mcgill.ca>

To: "blesser@torontomu.ca" <blesser@torontomu.ca>

Date: Thu, Dec 22, 2016 at 12:18 PM

Subject: Campus Security Notification!!

Hello,

There has been a security concern on Campus , we encourage everyone to read and follow protocol.

This message is sent via secured HTML ClickHere

Thanks,

Martin Chénier, Dr.

Campus Security Police.

© 2016 Toronto Metropolitan University

There are some things obviously wrong with this email. It claims to be from someone at TMU but is from a mcgill.ca account. That said, some phishing emails aren’t so obvious.

Spotting fake emails

A good practice to adopt whenever you get an email like this is to check the link first instead of clicking on it. On desktop, hover over the link to preview where it's taking you. On mobile, hold the link to do the same. If the email claims to be about your TMU account, but the link doesn’t take you to a .torontomu.ca server, then it’s a scam. If the email says there is a confidential document available on Google Drive, but doesn’t point to a .google.com address, it’s a scam.

Protecting your TMU account

The best defence against password phishing and other attacks against your account is to use two-factor authentication. Here are some links to help you better protect your personal and TMU accounts:

In the next article in this series I’ll describe more ways that attackers try to hijack your account.

This article was originally published in the Ryerson Works employee newsletter on October 15, 2017. It has been updated to reflect the new university name.