Uh oh!
You've clicked a link (and maybe even entered your password) in response to a fraudulent (though very legitimate-looking) email. Fortunately, this was only a test!
You—yes, you!—are a high-value target
As an ITS staff member and a technical employee, you have knowledge and access to systems that attackers covet. Highly skilled nation-state hacking groups frequently target UT Austin for our valuable research and reputation. Those with the power to access accounts, run services, monitor networks, and manage technical information—in short, ITS staff members—are prime targets for these attackers.
For helpful tips on maintaining security as an IT professional, please take a look at our helpful video.
How could I have spotted the scam?
Nation-state actors conduct extensive organizational research before launching their attacks, collecting information about their targets, their relationships, and current topics of conversation. They also work hard to craft legitimate-looking messages like the one you saw—these aren't your standard, low-grade phish. This attack simulated a nation-state attack on your credentials.
In this case, short of doing background research on Rebecca Bloomsfeld to discover that she is fictional, the only way to be sure that this email was a phish was to look at the embedded hyperlink, which points to a non-UT domain: utexas.tech-institute.org. If you clicked on the link and entered your credentials, you should've noticed that the UT Login site was also a fraud—it, too, had a non-UT address and didn't use an encrypted HTTPS connection.
How realistic is this attack?
Sadly, an attack like this is quite realistic. Attackers routinely compromise the accounts of UT staff. Compromised email accounts are often used to blast phish and spam to other UT staff. Targets' names and addresses are publicly available on the UT Directory and can be found elsewhere across public University documentation. Fraudulent websites are a snap to set up, and cloning the UT Login page can be done in seconds.
What's the worst that could happen?
Merely by clicking on a fraudulent link, you can expose your computer to malware—including programs that could monitor your keystrokes, steal your passwords, and even encrypt your entire hard drive. This is a risk particularly if you don't keep your operating system and web browsers updated to the latest available versions.
By giving your UT EID and password to a non-UT website, you can expose heaps of personal and University information to hackers—and make it easier for them to impersonate you as they move on to attacking other UT faculty or staff.
What should I do now?
Take a deep breath—since this was a test:
- your computer was not compromised,
- we did not collect your password, and
- we will not report your actions to management.
In the future, if you suspect you've received a phishing email, forward it to postmaster@utexas.edu and notify your local IT staff. Never click on any links contained in the message, or reply to the sender. If you suspect you're a victim of a phish and provided your credentials to a fraudulent site, immediately notify the Information Security Office at security@utexas.edu or by calling ext. 5-9242.
Now, let’s learn how you can detect phishing attacks like these so you don’t get caught by a real attack in the future.
The only readily apparent hint that this email was illegitimate is the embedded hyperlink—if you hover over it in your mail client (or long-press on it on your mobile device), you'll see that it points to utexas.tech-institute.org—not a site affiliated with The University of Texas. Never click on a link in an email or message without first checking where it actually points.
If you clicked the link in the phish-y email, you were directed to a site that looks almost exactly like our UT Login authentication prompt. However, if you inspected (1) the URL, you'd see that it was both unaffiliated with UT Austin and that it was not using an encrypted HTTPS connection, as evidenced by your browser not showing a green padlock icon. Additionally, most modern browsers will warn you (2) when you attempt to enter a username or password on such unencrypted sites. These warning signs should lead you to conclude that the site is untrustworthy.
When you're inspecting a link, or on a website, how do you know it's legitimate or not?
Links have lots of information in them. They can be daunting. We'll break it down so you can focus on the most important part. Take this link, used in a real phishing attack.
That's a lot of information, and some of it looks legitimate. But once you understand the structure of links, it becomes easy to see why this is a malicious link.
Websites are hosted on computers, much like the ones in your office. The Host part of a link tells you the name of the computer.
And just as your computer has files and folders on it, websites have them too. The Directory part of a link is just like a folder path on your computer. The very last piece of a link is the File name. It tells you the file you’re looking at, just like a Word document or spreadsheet on your computer.
So now we know what all this information means. What’s really important?
No matter how long and confusing a link is, the Host is all you need to focus on. Attackers can manipulate the Directory and File name to look like legitimate content, but they can never change their Host to perfectly match a legitimate one. Let’s look at a legitimate Host now.
Now that we know the Host is what's really important, let's focus even more. Find the first single "/" in the link.
Look at the two words to the left of it, separated by a "." Those two words can never be manipulated; they always tell you a website’s true identity.
In the image below, those two words are "utexas" and "edu".
Compare the two images above. In the first, utexas.edu is the true source of the link, while the second one is org.ru. Look at the rest of the org.ru link. You can see its File name is trying to impersonate the Host of the first link!
Take a look at your web browser to find the address of the site you’re on, right now. What is its true source?