Duke ITSO Alerts
Today's phishing attempt provides insight into a slightly modified approach by the attackers. This message contained an attachment with the falsified warning of action against your account along with a URL to a form to harvest credentials. The actual email is provided below:
As you can see the email is very vague and instructs you to open and read the attachment "System Administrator". We started analysis on the file expecting it to contain a malicious payload though later discovered that it simply had the typical account warning along with URLs to a phishing form. See the opened attachment below:
The redirect was producing a 404 / Page not found error by the time we began investigating though it could potentially be reposted later. We are taking precautions on the university side to ensure the page is inaccessible to help mitigate but please be advised this is only pertinent to the university networks. Anyone could click through to the link if accessing from a non-campus network (i.e. DUHS network, off-campus, etc.).
If you have any questions, please contact the OIT Service Desk or the IT Security Office.
OIT Service Desk
help@oit.duke.edu
919.684.2200
IT Security Office
security@duke.edu
Patch tuesday this month was chock full of bulletins from Microsoft, Mozilla, and Adobe looking to fix critical holes in their software.
Microsoft:
Ten bulletins from Microsoft reportely patch 33 different vulnerabilities all identified as either Critical or Important. Most notable is MS13-038 which patches holes in IE 8 that are already being reported as exploitable in the wild. For a detailed overview, see SANS <https://isc.sans.edu/diary/Microsoft+May+2013+Black+Tuesday+Overview/15791>
Mozilla:
Mozilla updated versions of Firefox (21.0) and Thunderbird (17.0.6) to close critical holes. Additional info can be found on the Mozilla release notes pages
Firefox:<http://www.mozilla.org/en-US/firefox/21.0/releasenotes/>
Thunderbird:<http://www.mozilla.org/en-US/thunderbird/17.0.6/releasenotes/>
Adobe:
Adobe has released new versions of Reader, Acrobat, and Flash Player (and Air) as well as a hotfix for ColdFusion. A nice write-up to cover all can be found at The H Security page <http://www.h-online.com/security/news/item/Urgent-security-patches-for-C...
A new phishing attack was seen early this morning, once again trying to use scare tactics and insisting on immediate action. This go round the scammers attempt to fool one into believing their email account cannot receive new messages and that the account will soon be disabled. A link is provided that will supposedly assist with provisioning adequate space. The URL redirect is a tiny.cc link which in this case, redirects to a Google Docs form. Fortunately for this run, Google has already been made aware of the form and they have taken the form down so that it's no longer possible to provide account info.
Here is a copy of the email:
A few items to note, if one's account was in fact over quota and no longer receiving mail, it would not be possible to send new messages. Still this is a common scare tactic phishers use to fool one into immediately taking action in hopes that they prevent unwanted action from being taken against thier account. Also, while it is no uncommon to use online tools to shorten a URL, it is generally uncommon that OIT will do this for a legitimate notification. Even if the URL were to be shortened, it would not redirect to a non-Duke site such as Google Docs[1]. As we've stated in the past, the best course of action when receiving any type of account notification is to contact the party who controls the account (i.e. in the case of email at Duke, OIT or Duke Medicine depending on what type of email you have). The Service Desks will know about any type of changes that are currently in place as well as having the ability to contact support for verification on any account status. Rather than clicking links in the emails, contact the Service Desk to verify if the email is legitimate if you are unsure.
If you have any questions concerning this phishing scam or others, please contact the OIT Service Desk or the ITSO.
OIT Service Desk
919.684.2200
help@oit.duke.edu
IT Security Office
security@duke.edu
[1] When a Google Docs form is believed to be a phishing form, anyone has the option to "Report Abuse" and notify Google so that the form can be reviewed and taken down as needed.
A new phishing attack has been seen in circulation this afternoon. This phish is targeting Wells Fargo customers attempting to fool the recipient into clicking a masked URL "Sign On to Wells Fargo Online" which leads to a domain (not associated with the bank) yet it mirrors a typical login screen. The form is set to harvest credentials and will attempt to verify just as much info as you're willing to provide. A few of the screenshots are provided below. In addition to this type of normal banking phish, it is not uncommon to find that the site or one of it's redirects could also host malicious files containing malware created to compromise a system along with collecting URLs visited, usernames, and passwords.
Whenever this type of scam is sent to your inbox, you should always first consider whether or not you actually have an account with the supposed instituion. If you do, don't click links in the email -- instead open your web browser and visit their main page yourself. From here attempt to determine whether or not your account has any pending alerts or information concerning your account. As a backup precaution, search the site's homepage for customer support info or check the back of your bank's issued card for telephone support to verify account details. Additionally, always check the URLs of any link you click. If the URL is masked as the one in this phish, move your mouse pointer over the link (Do Not Click the Link, just mouse over it) to see the actual URL you will visit if you were to click through.
Remember, these scams are designed to fool you into providing your information. Your best defense is learning what to look for so that you're able to identify the scam. As always, if you have any questions concerning this email or phishing in general, please contact the OIT Service Desk or the ITSO.
Email Screenshot:
Redirect screenshot:
Form page 2:
Form page 3:
OIT Service Desk
919.684.2200
help@oit.duke.edu
IT Security Office
security@duke.edu
A small number of Duke emails were sent a message yesterday afternoon that after investigation was found to contain a malicious attachment. The email was crafted to look as if the recipient had been awarded a grant from a Grants Council. An attached file, compressed in .rar format, with the name "Acceptance Letter" was included and individuals are asked to download, sign, and return. This file, when opened is a executable file with a malicious payload that contains the Trojan.Zbot. This malware is known to compromise a system, allowing the attacker to harvest credentials and other sensitive information. If you or someone you know has received the message and tried to open the file, please contact the OIT Service Desk or the ITSO for assistance. The email circulating yesterday looks like the following:
Please be advised, this particular malware infects Windows systems. Additional information about the malware can be found at various AV vendor sites (i.e. Symantec and McAfee). You can search on either Trojan.Zbot or the more common name, Zeus. For any additional questions, please contact the ITSO.
Multiple Duke email addresses may have received the following message yesterday evening which contains a link to a form phishing for email credentials. This is not a legitimate email and should be discarded immediately.
For any who fall victim to the above message you would be presented with the following form:
While not very specific to Duke, this could easily take advantage of this time of year and pique interest of some. Additional investigation of the site raises other concerns and the page has been blacklisted from the university networks though any off campus or on medical center networks could potentially access the page. The site has been flagged by some browsers and presents the "potential phishing form" warning when trying to access. If you or anyone you know have visited the link and supplied credentials, please notify the OIT Service Desk or the ITSO immediately.
Yesterday evening the following suspicious email was forwarded to the IT Security Office:
While we typically post phishing attempts that are sent with the goal of harvesting NetIDs and passwords, this email does not have such a form at the end URL; however, it still causes concern and should be avoided. If clicked, the URL redirects to many different domains (any of which could potentially host malicious content, including malware that a susceptible system could acquire) before eventually landing on a site related to credit scores. Alternatively, this could be a means of click fraud which generates revunue per site visited. We strongly encourage you avoid clicking the link and would suggest you discard the message. There are legitimate means by which you can seek out your credit score or assistance that are not so "shady". If you have any questions, please contact the ITSO.
Many Duke email addresses may have received the following message this morning which contains a link to a phishing website. This is not a legitimate email and should be discarded immediately.
If clicked, the URL will open the following form:
If you or anyone you know has clicked the link and provided your NetID and password, please immediately contact the OIT Service Desk or the IT Security Office.
Tonight many Duke users may have received an email containing a link to a phishing website. This is not a legitimate email and should be discarded. We are still investigating the link to determine if the site is more than a simple form to harvest credentials. At this time I can neither confirm nor deny whether it is hosting malware. Please have anyone who has clicked the link and provided credentials to the form contact either the ITSO or the OIT Service Desk immediately.
Identifying the Scam Message
The message users received this evening pretends to be a new message notification alert from a Duke webmail system with a link for the user to click in order to read the message. A screenshot of the original message is below:
If this link is clicked, the user is taken to a very convincing website masquerading as the Duke OIT website. However, the site is clearly not at a Duke.edu domain. See the screenshot below.
If you clicked this link or submitted your NetID/password to this site, please contact the OIT Service Desk or the IT Security Office immediately.
This morning the ITSO received notification of the following phish prompting individuals to provide credentials to supposedly prevent from exceeding a mailbox limit:
If you click the link, you are redirected to the following form:
This is not a legitimate email and should be discarded. We are still investigating the link to determine if the site is more than a simple form to harvest credentials. At this time I can neither confirm nor deny whether it is hosting malware. Please have anyone who has clicked the link and provided credentials to the form contact either the ITSO or the OIT Service Desk immediately.
OIT Service Desk
919.684.2200
help@oit.duke.edu
http://oit.duke.edu/help/
University IT Security Office (ITSO)
security@duke.edu
http://security.duke.edu