In the summer of 2023, Carleton University implemented a new, more resilient multi-factor authentication (MFA) solution that is available to all students, faculty and staff. This has had an impact, because we have seen a reduction in stolen passwords being used to send phishing emails from Carleton accounts or for other malicious activities.
While MFA is making it harder for threat actors to gain access to Carleton’s data and systems, threat actors never give up and are attempting to get you to help them.
Carleton and other universities across Canada have observed a rise in attacks designed to get you to approve an MFA prompt for them.
Tried-and-True Techniques
How do they do this? They use tried-and-true techniques: Fatigue and Machine-in-the-Middle attacks.
Fatigue attacks rely on a predictable human reaction by sending multiple MFA challenge prompts, betting that the person will get annoyed and complete the MFA challenge to make it stop.
Machine-in-the-Middle attacks are more technically sophisticated but are also harder to detect by the user. Usually these start with a malicious URL in a phishing email that takes you to a phishing website. The website appears to be a site you typically use and you are prompted to log in and provide your username and password. The threat actor captures that data, sends it to the legitimate website and sends you back the prompt to complete your MFA challenge.
Both techniques are designed to make you an unwitting accomplice.
What Can You Do to Prevent This?
If you didn’t take an action which would prompt an MFA challenge, hit “No, it’s not me” and Carleton’s IT systems will quickly take steps to protect your account and data.
Never click on a link or open an attachment from an untrusted source.
Use the Report Phishing button in Microsoft Outlook to flag suspicious emails.
Source: Canadian Centre for Cyber Security
Contact ITS if you think you may have fallen victim. ITS can determine if you have been compromised, provide you with guidance on next steps and assist with any required actions to protect you and the university.
More Ways to Learn about Staying Cyber Safe
Our Security Awareness Course, available through Brightspace, teaches the community how to stay cyber secure. Students, faculty and staff are invited to enroll in a series of modules that are short, digestible and, most importantly, informative. Topics include phishing, ransomware, Wi-Fi security, social engineering, risky USB devices and much more.
Keep in mind that, after clicking the link above, you’ll need to log in with your MyCarletonOne (MC1) password before enrolling.