Note: This Security Advisory was originally sent out to account owners on June 20, 2014.
Earlier today, we noticed some of our customers being targeted with fraudulent emails (phishing) from one of our email addresses. This is not a case of one of our accounts being hacked, but a simple impersonation technique common to most phishing attacks. This notification is to provide common tips on how to detect phishing attacks.
Detecting a Fraudulent Email
Breakdown of a sample phishing email:
1. Different reply-to / typos: The “reply-to” field is set to a different email address than the sender. This is sometimes done for legitimate reasons, but when it’s from an individual and going back to a different individual, it’s highly suspicious. In this case, the name is also misspelled, so if you were to reply to it, it would not go to a legitimate individual.
2. No greeting / awkward greeting: Our email communications will always have a greeting, so if you receive one without a greeting or with an awkward greeting, e.g., “Dear valued member”, this is most likely a phishing email.
3. Strange links: Even though the link appears to be legitimate, when you mouse over it, if you see a different or strange URL, this is a fraudulent link.
Detecting a Fraudulent Web Site
Breakdown of a sample phishing Web site:
4. Unsecured connection: All transmissions between OneLogin and our customers and third parties are performed using secured connections. If you do not see “https://” or a lock icon on the address bar, the connection is insecure and you should not enter any credentials. This is applicable to all web sites you visit where you use a user ID and password to log in.
5. Wrong domain: Fraudulent web sites will not be able to show a legitimate domain name. In this case, even though the address contains “onelogin”, if you look at the entire address you notice that it’s not pointing the actual OneLogin domain.
6. OTP field: One time password authentication has become more ubiquitous in recent years and the standard deployment is to first authenticate a user with their user ID and password, and once authenticated, request the second authentication factor, the OTP. The fact that the OTP field is on this page should trigger suspicions right away.
7. Misaligned images / visual glitches: Similar to typos, sloppy image layouts or glitches are signs that the site you are visiting is not legitimate.
If you suspect you have received a suspicious email from OneLogin, please contact firstname.lastname@example.org.