Security advisory: Beware of fraudulent Duo prompts
Wednesday, March 16th, 2022
We want to alert you to a new level of phishing attack that is currently being launched against Boston University and several other institutions across the country. This attack exploits some Duo multifactor authentication options. Please review this advisory carefully.
The attacks will typically begin as an email with a generic subject, such as “An important message from BU”, containing a link which takes you to what looks like the BU WebLogin page, but upon closer inspection, does not have the correct bu.edu address, nor does it have a secure (https) connection. If a BU login name and password is entered, you are then directed to a fake Duo authentication page asking you to generate and enter a passcode. If you respond, the attacker will gain control of your account.
Here’s how you can protect yourself:
Use Duo effectively
• Whenever possible, use Duo Push through the mobile app – it is the most secure option.
• NEVER authorize a prompt or call you did not initiate whether it’s through the phone or a push, click on “Deny”!
• Never provide another person with a Duo authorization passcode.
Look at the link
• Before clicking on any link, verify the link by hovering over it to display the destination web address.
• Be suspicious of any e-mail with a link that takes you directly to an authentication page.
• Verify that any site asking for authentication via the web uses a ‘bu.edu’ address, with https://shib.bu.edu/, https://adfs.bu.edu/, and https://weblogin.bu.edu/, being the most common.
• The URL should always start with https://. The “s” is critical – it means “secure”.
If you clicked on a link and provided your password, or approved a Duo prompt you did not initiate:
• Change your BU password immediately: https://weblogin.bu.edu/accounts/changepw
• Contact the BU IT Help Center: ithelp@bu.edu or 617-353-HELP.
Two factor authentication remains the most effective mechanism to deter the use of stolen passwords. However, there will always be bad actors looking to break through even the most robust defenses. Following the tips above will keep your account, and Boston University, secure and protected.