Protecting Against Website Copy Attacks

Good Morning,

Early last week Fairfield University experienced a Single-Sign-On (SSO) website copy attack. Fortunately, our email security solution alerted us and began automatically mitigating the event. No systems were accessed maliciously as a result of this event. However, a takeaway of this phishing campaign against the University is to make sure we are fully aware of these kinds of attacks and how to prevent them.

The image below is an example of how our SSO site was copied and used as an attempt to harvest our credentials. As you can see, by the user clicking the View Complete Details link they were taken to what appeared to be a copy of our SSO site. This was not our site, as you can see by the URL; it was only a copy of our SSO page. Our URL is https://ffunam.fairfield.edu.

Malicious Email:

Copy of the University SSO page:

Note the fake (copy) page is referring to operaengineering.business which is NOT the correct domain name.

By entering the credentials into the Username and Password field above, and then inadvertently approving the MFA prompt initiated by the attacker, the bad actor (“attacker”) would be able to access our network. It is critical that we Stop, Think, and Connect before proceeding to any site that is unknown to us. Click here to learn more about the STOP. THINK. CONNECT. mission goals and objectives to stay secure.

You can help us reduce our cyber risk by being the layer of protection between allowing a bad actor into our network, and NOT allowing in an attacker.

Below is the actual University SSO page:

Note this image shows the correct domain name of ffunam.fairfield.edu:

Thank you for your extra vigilance!