Duke ITSO Alerts

Yet another Blackoard related phishing attack has been reported this afternoon.

Below is a screenshot of the message (target URL destination has been added):

 

The form hosted on that page is seen below:

 

As this is not legitimate communications from Duke, we ask that everyone who has received this message, clicked the link, and supplied credentials to immediately notify the OIT Service Desk at 919.684.2200 for assistance.

 

The IT Security Office is receiving reports of a phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is a phishing attack and should be discarded immediately.  Note that the link points to the anthroman.com domain, not to a duke.edu domain.

 


 


 

Adobe has released an update to address vulnerabilities in Adobe Flash Player.

 

Adobe Flash Player- https://helpx.adobe.com/security/products/flash-player/apsb14-22.html

 

The ITSO advises users and administrators to udpate these applications quickly.  The vulnerabilities in Adobe Flash do allow for remote code execution.

Microsoft has released 8 updates addressing 24 vulnerabilities (14 for Internet Explorer).  Five of these updates are rated Critical by SANS Internet Storm Center due to the potential for remote code execution and probability of exploit code existing in the wild:

 

  • Cumulative Security Update for Internet Explorer (MS14-056)
  • Vulnerabilities in .NET Framework Could Allow Remote Code Execution (MS14-057)
  • Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (MS14-058)
  • Vulnerability in Windows OLE Could Allow Remote Code Execution (MS14-060)

 

The updates are now available via Microsoft and Windows Update.  We recommend that these patches be deployed as soon as possible.

 

Microsoft Security Bulletin Summary:  https://technet.microsoft.com/library/security/ms14-oct

SANS ISC Analysis:  https://isc.sans.org/forums/diary/Microsoft+October+2014+Patch+Tuesday/1...

 

 

 

 

The IT Security Office is receiving reports of a very well done and very targetted phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is a phishing attack and should be discarded immediately.   If you saw a similar email and submitted your username and password to the form, please contact the service desk to change your password immediately.   Note that the link points to the shib.oit.duke.edut.in domain, not to shib.oit.duke.edu.  The duke.edut.in domain is designed to look like duke.edu at a glance.
 
The email below was received by a Duke researcher.  The email referenced the user by name and referenced articles specific to that users.

If you received an email like this one, please forward a copy of the email as an attachment to security@duke.edu.  We would like to see all of the possible variations of this message.
 
-----------------------------------------

From: Margot Schofield <M.Schofield@latrobe.edu.au>
To: "xxxxx@duke.edu" <xxxxxx@duke.edu>
Subject: Re:
Date: Thu, 9 Oct 2014 16:18:25 +0000
 
Hi
 
Dear Dr. XXXXXX
 
I recently read your good article: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" It's very useful in my field of research.
I wonder, if possible, to send me these articles to use in my current research:
 
1- http://shib.oit.duke.edut.in/idp/login.php?url=hxxp://www.sciencedirect....
article/pii/xxxxxxxxxxxxxxxxxx<http://shib.oit.duke.edut.in/idp/login.php?url=hxxp://www.sciencedirect....
 
2-http://www.sciencedirect.com/science/article/piixxxxxxxxxxxxxxxxx
 
Thanks for you Cooperation in Advance.
 
.............................................................
Prof Margot Schofield
La Trobe University VIC 3086 Australia
Ph: 61 3 9479 3702; Fax: 61 3 9479 1783
---------------------------------------------------------------------------------------
 
Here is the phishing form that the links in the email point to.  Note that it is a clone of the real Duke login page and that the only identifier that this is not the legitimate page is the domain in the URL: edut.in.
 

The IT Security Office is receiving reports of a phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is a phishing attack and should be discarded immediately.  Note that the link points to the .com.br domain, not to a duke.edu domain.

 


 


 

The IT Security Office is receiving reports of a phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is an attack and should be discarded immediately.  Note that the link points to a website in Chile (based on the .cl suffix).

 


 


 

The IT Security Office is receiving reports of a phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is a phishing attack and should be discarded immediately.

 


 


 

The IT Security Office is receiving reports of a phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is a phishing attack and should be discarded immediately.  Note that the link points to the wix.com domain, not to a duke.edu domain.
----------------------------------------------------------
 
From: Gardner, Al [mailto:Al.Gardner@nov.com]
Sent: Tuesday, September 30, 2014 7:46 AM
To: Gardner, Al
Subject: RE: MAILBOX IS FULL
 
 
________________________________
From: Gardner, Al
Sent: Tuesday, September 30, 2014 4:21 AM
Subject: MAILBOX IS FULL
Your mailbox is almost full.
2426MB                       2500MB
Current size Maximum size
Please CLICK HERE<http://collinsfestus0.wix.com/help-desk> to reduce your mailbox size and increase the size to 3500MB.
 
 

-----------------------------------------------------------

 

The IT Security Office is receiving reports of a phishing attack aimed at Duke Sakai users.  If you've received a message similar to the one below, please be advised that it is an attack and should be discarded immediately.  Note that the link points to a website in the UK (based on the .uk suffix) and that the email includes the recipient's name on the text of the message.

------------------------------------------
From: Duke Sakai [mailto:aaili@duke.edu]
Sent: Thursday, September 18, 2014 9:13 AM
To: Duke User
Subject: Online Notice-Must Read!(Duke Sakai)
 
Duke Sakai Faculty, Staff and Students - duke.user@duke.edu
A new upgrade has been installed in your account (duke.user@duke.edu) Duke Sakai Services system.
Please kindly update your email for active using.
Duke University Update Status<http://www.fashionology.co.uk/wp-admin/includes/onlinelearn.htm>
You will receive a notification at least 48 hours before your mailbox is due to be migrated.
 
Thank you,
Duke University Network and System Services
------------------------------------------

The link in the email points to a clone of a BlackBoard login page.  Note the URL in the location bar.

Pages