InfoSec Blog - Genuine Login Page or Phishing Page?


October 20, 2016

When an IT change takes place at the University of Guelph, hackers are more active.  For example, in the summer of  2016, when the University transitioned the staff email system to the new Gryph Mail Office 365, there were renewed attempts to lure our users with phishing emails containing links to an illegitimate login page.

Example of an Illegitimate SSO login page

(Image Credit: Dave Tocek, Lab Services)


The example phishing page above looks identical to the University SSO login page provided by CCS. It even had our new design - the responsive theme which was added during the Gryph Mail transition.  But there were still two differences:

  1. It was served from an external server (see the address circled above) instead of from the CCS servers on the domain
  2. It was not signed with the University of Guelph digital certificate


Hopefully U of G users did not follow the link within that email and did not try to sign in. If they had they would have revealed their credentials to the hackers. 


So how can we tell the genuine University of Guelph SSO login page from a bogus/phishing page?

This is where the digital certificate becomes critical - it not only helps to facilitate secure communication with the server - it also verifies its identity.  The University SSO service is secured with the certificate of the highest assurance - the so-called Enhanced Validity (EV) certificate -  which makes it easy to verify the source of the presented content.  When most modern web browsers encounter such EV certificates they display the company name right beside the address in the address bar and also often colour it green.  See the browser examples below:


Genuine SSO login page confirmed in FireFox



Genuine SSO login page confirmed in Chrome


Internet Explorer

Genuine SSO login page confirmed in IE


Take Aways

When you are signing in via the U of G SSO page, please look for the "University of Guelph" designation in the address bar.  If you see it, then your credentials will stay with the University.

If you are interested in technical details behind the digital certificates and various tools that use them, you can start for example with the open-source project

If you would like to get more information, please contact the CCS Information Security team.  


Written by: Zdenek Nejedly (Identity and Access Management Analyst, Information Security)