Targeted Phishing Campaign

Overview
With the help of the Harvard Community, HUIT Security has identified a phishing campaign targeting Harvard credentials. We are actively investigating the attacks, and have taken steps to protect University accounts. As with any targeted phishing campaign, your assistance helps us react quickly to changes in the attacker’s methods.

What is Phishing?
Phishing is the act of tricking a computer user into opening a file or giving up personal information to an attacker, generally through a forged email.

How to Spot This Attack
The initial wave of emails were crafted to appear as though they were sent from library@harvard.edu. They are grammatically correct, and have believable Harvard e-mail signatures. The email informs you that your “library account” has expired, and asks you to click a link to renew. The link takes you to a site that is identical to the Harvard PIN page. If you submit your credentials, the site redirects you back to the legitimate Harvard PIN page.

The user will think they have mistyped a credential, as pictured below. 

But this is what has actually happened. 


 
Purpose of the Attack
Stolen credentials are being used in an attempt to connect to University networks, as well as access library resources.

What we are Doing
HUIT Security has worked with other teams at HUIT to restrict access to the sites hosting the forged pages. We are working to identify potentially compromised accounts.

What you can do

  1. Click Wisely. We have seen some slight variations in this phishing campaign, but expect any messages sent to appear legitimate and contain some level of Harvard branding or language. As always, only click on links you trust. Use caution on mobile networks and personal devices, as University network security only protects University networks. If there is any doubt, avoid the link and navigate to the site in question manually using your web browser.
  2. Notify the Helpdesk (ithelp@harvard.edu) if you receive a suspicious email that meets any of the following criteria:
    1. Contains Harvard branding or language
    2. Related to Library accounts or resources
    3. Directs you to a non-Harvard site to provide your PIN or other credential. 
  3. Contact the Helpdesk immediately if you believe you have lost your credentials in a phishing attack.

Special Thanks
Our timely response to this target attack was possible thanks to the vigilance of the community. The multiple reports of suspicious emails allowed us to identify the larger campaign early and take steps to prevent or mitigate the damage.

See also: Security Alerts