In July, a wave of phishing emails targeting Virginia Tech employees attempted to — and nearly succeeded in — diverting direct deposits, including pay, away from their legitimate destination.

Here’s what happened: 

  • Employees received phishing emails urging them to log into a well-disguised fake login screen. If a user responded, the hackers had that employee's username and password.
  • The hackers then attempted to log into the user’s Virginia Tech email, prompting a Duo authentication request. If the user initially denied this request, the hackers kept trying until the user approved one, a tactic known as "2-factor fatigue."
  • Once the hackers had the user’s credentials, they accessed the user’s email and created an email filter to delete messages related to direct deposit change notifications, which are key messages that protect users’ personal assets.
  • Next, the hacker logged into the university's employee portal, which prompted another round of fraudulent Duo requests. Once the user approved this request, the hackers were in and able to change direct deposit information.
  • The user remained unaware, because the email verification that Virginia Tech sends when a direct deposit change is made was deleted by the newly defined email filters.

Fortunately, newly deployed cybersecurity protections within the Division of Information Technology detected the unusual login activity as well as other threat actions and put a stop to the hack. In the end, no employees lost money from this particular attack and no banking information was compromised.

Cybersecurity is a group effort

This scam is one example of an increasing number of sophisticated cyberattacks that have been affecting the university. These recent scams reflect a tough truth: Hackers are getting better at what they do, and they are studying our business processes to find vulnerabilities. It is clear that what worked to protect users from getting phished just a few years ago is no longer sufficient.

Each member of the university community has a role to play in staying safe online. It is a shared responsibility. User awareness and vigilance are critical to Virginia Tech's security stance because the best tools and safeguards will still fail if users give away their login credentials.

“The attack on our direct deposit process could have led to immediate financial loss to individual employees, students, and the university,” said Sharon P. Pitt, vice president for information technology and chief information officer. “We are working directly with our colleagues in the Division of Finance to identify and stop these kinds of attacks, and we must continue to find ways to shore up cyber defenses, to include a more informed and security-aware community.”

Enhanced 2-factor authentication

Consider logging in with 2-factor authentication as entering the headquarters of a secret society of which you are privileged to be a member. Your username and password are the "secret knock" at the door, specific only to you. That’s the first factor.

The second factor is when the butler peers through the peephole and makes sure it’s really you, not just someone who learned that special knock. In our technology-mediated world, we gain that assurance by using a device that only you should have access to, such as your smartphone or a digital token. A hacker won’t be able to complete the second step without that personal device in hand — or your mistakenly granted approval.

Each of the portals we log into each day exists to safeguard a portion of our personal or professional information: financial resources, health information, research data, grades and course access, and all other forms of privileged communication. Without this protection, there are dozens of ways that each of us, and the university as a whole, could be harmed. Money could be siphoned away; private information on health, life circumstances, or grades could be exposed; core services like Canvas or Zoom could be diverted or disrupted; and research data could be corrupted, erased, or stolen.

Virginia Tech already defends against thousands upon thousands of these attacks each year, most of which you never hear about. The current login protections have been effective, but constant innovation and vigilance are needed to keep up with evolving tactics.

“When we first implemented 2-factor authentication in 2016, we saw a significant reduction in compromised accounts, but attacks have evolved, and the number of compromised accounts is once again increasing,” said Kevin Rooney, interim executive director for the Division of Information Technology's Secure Identity Services unit.

The division is working to introduce a more robust level of 2-factor authentication at Virginia Tech, known as enhanced 2FA. This form of authentication verifies that the person requesting access is indeed the person who should be in control of that account by using an item such as a smartphone or digital token to prove their identity.

Fighting 2-factor fatigue

2-factor authentication works really well — as long as users only approve requests they’ve actually triggered. Criminals have developed a way to get around this protection, however, through a technique known as inciting 2-factor fatigue.

Basically, the hackers obtain the username and password via a fake login screen or form during a phishing attempt and then work to annoy or confuse the user into approving a second 2-factor authentication request. They will initiate the login process repeatedly, knowing that many users will eventually accept the fraudulent authentication request just to make the notifications stop. In other cases, users might inadvertently accept a fraudulent request that happens to come through at the same time they are trying to log in for real.

Enhanced 2-factor authentication addresses these pitfalls by requiring an additional verification. Instead of just tapping “yes” on a Duo request, users must enter a unique, time-sensitive number, which is generated at login, into the Duo mobile app. This way, users must be intentional about what service they are logging into. If they get a request they didn’t initiate, they won’t know what number to enter and will understand that someone else is trying to access their account.

Rooney’s team, in collaboration with the IT Security Office and Collaborative Computing Solutions, is leading the effort to implement enhanced 2-factor authentication at the university.

“Hackers know that it’s really easy for us to push a button when we’re in a hurry or sometimes even by accident. Enhanced 2FA makes it much more difficult for users to accidentally approve a login they didn’t initiate, while only adding an extra second or two to the login process,” said Rooney.

Eliminating less-secure second factor options

While receiving a code via text or authenticating via a phone call has been a popular second factor option in the past, these methods are now known to be much less secure. Calls and texts have become easier to intercept or spoof.

Enhanced 2-factor authentication removes these second factor options. Users must authenticate using the Duo mobile app, a software token, or an external device such as a YubiKey or Duo D-100 token, which is available through the Software Service Center.

“You may have heard of ‘SIM swapping’ and other techniques that hackers can use to spoof your cellphone number. The fact is that text messages and phone calls are much less secure than hardware tokens or app-based, verified push notifications as second factors,” said Rooney.

A small change that yields measurable benefits 

Virginia Tech's Division of IT rolled out enhanced 2-factor authentication for its nearly 400 employees in July. By adopting the service, the division is demonstrating how it can result in measurable security improvements with minimal disruption to users.

“We have to maintain a balance between security and usability,” said Pitt. “By adopting enhanced authentication within the Division of IT first, we acquired practical experience that will help us understand the impact on users and effectively roll this out to other departments.”

What you can do now

The enhanced 2-factor authentication service is available on request to any Virginia Tech employee, department, or unit, at no cost. To opt in, visit the IT Service Catalog request page, log in with your Virginia Tech username and passphrase, and fill out the request form.

Also, if you ever receive a Duo authentication request that you did not initiate, decline that request by choosing “deny” or “I’m not logging in.” If you get any additional requests that did not come from you, be sure to report them through the app, and then go ahead and change your passphrase. Always decline any 2-factor authentication request that you didn’t just initiate.

Contact:

Tags

Share this story