Duke ITSO Alerts

The IT Security Office is receiving reports of a phishing attack aimed at Duke Sakai users.  If you've received a message similar to the one below, please be advised that it is an attack and should be discarded immediately.  Note that the link points to a website in the UK (based on the .uk suffix) and that the email includes the recipient's name on the text of the message.

------------------------------------------
From: Duke Sakai [mailto:aaili@duke.edu]
Sent: Thursday, September 18, 2014 9:13 AM
To: Duke User
Subject: Online Notice-Must Read!(Duke Sakai)
 
Duke Sakai Faculty, Staff and Students - duke.user@duke.edu
A new upgrade has been installed in your account (duke.user@duke.edu) Duke Sakai Services system.
Please kindly update your email for active using.
Duke University Update Status<http://www.fashionology.co.uk/wp-admin/includes/onlinelearn.htm>
You will receive a notification at least 48 hours before your mailbox is due to be migrated.
 
Thank you,
Duke University Network and System Services
------------------------------------------

The link in the email points to a clone of a BlackBoard login page.  Note the URL in the location bar.

We've received reports of a BlackBoard associated phishing attack. If you've received a message similar to the one below, please be advised that it is an attack and should be discarded immediately.  Note that the link points to a Hungarian website (based on the .hu suffix) and that the email includes the recipient's name on the text of the message.

--------------------------------------------------------------------

From: ICT Duke [mailto:nbarbe@duke.edu]
Sent: Tuesday, September 16, 2014 5:22 PM
To: Duke User
Subject: ICT SERVICE CENTRE UPDATE Online

ICT SERVICE CENTRE Duke - (Duke.User@duke.edu<mailto:baoinin1@126.com>)

New update on your online course for this semester, Duke University System update all user server

Click Here to Get the latest Update<http://szegedkkse.hu/layouts/joomla/editors/oit.duke.htm>.

Duke University System

--------------------------------------------------------------------

The link in the email points to a clone of a BlackBoard login page.  Note the URL in the location bar.

We've received a few reports of the following phishing attack:

 

 

 

The "LOGIN" link above redirects to the following non-Duke hosted form (used to steal credentials):

 

 

If you've received the message shown above, clicked the "LOGIN" link, and supplied credentials to the form, please immediately notify the OIT Service Desk at 919.684.2200

See below for a newly reported phishing attack targeting Duke:

 

 

The "CLICK HERE" link seen above redirects to the following form:

 

 

The form has been reported for abuse and will hopefully be taken down as soon as possible. In the meantime, anyone who receives the message, clicks the link, and supplies credentials should immediately notify the OIT Service Desk at 919.684.2200

Reports of a BlackBoard associated phishing attack have been circulating across campus this afternoon. If you've received a message similar to the one below, please be advised that it is an attack and should be discarded immediately:

 

 

As indicated above, the redirect points to a non-Duke domain hosting the form seen below:

 

 

 

Again, this is a fraudulent message and is not a valid BlackBoard login page. If you've received this message, clicked the link, and supplied credentials, please notify the OIT Service Desk immediately by calling 919.684.2200.

Another phishing attack has been reported this morning. See the message below:

 

 

The "LOGIN" link above takes you to the non-Duke page seen below, an intentional clone of the University WebMail/Email Access page:

 

 

 

If you've received this message, clicked the link, and provided Duke credentials, please contact the OIT Service Desk at 919.684.2200 immediately for assistance.

 

 

Multiple reports of the following phishing attack have been reported this morning (screenshot of the message below):

 

 

As identified in the picture above, the target destination of the URL "CLICK HERE" is a non-Duke domain. Clicking the link takes you to the following page:

 

 

 

As always, if you've received the message, clicked the link, and supplied Duke credentials, please immediately contact the OIT Service Desk at 919.684.2200 for assistance.

Reports of the following phishing attack began coming in during lunch:

 

 

The URL in this message points to a non-Duke domain hosted in Hungary (see screenshot below):

 

 

If you've received this message, clicked the link, and supplied credentials please notify the OIT Service Desk immediately by calling 919.684.2200

Reports of a new phishing attack from early this morning... The following message was forwarded to security:

 

 

Notice the "click here" link does not redirect to a Duke domain, rather a page currently hosted in Argentina. Clicking the link takes you to the following OWA cloned page:

 

 

Depending which browser is used and how settings are configured, you may experience cert notifications warning about security of the site. The following was a warning received during our investigation:

 

 

Again, this site is in no way related to Duke and anyone receiving the message should discard and delete from your inbox. For any who have received this message, clicked the link, and supplied Duke credentials, please notify the OIT Service Desk by calling 919.684.2200 immediately.

Multiple reports of the following phishing attack were reported late yesterday afternoon:

 

 

The URL ("LOGINHERE") redirects to a form hosted on a Belgium domain:

 

 

If you received this message, clicked the link, and supplied Duke credentials, please immediately contact the OIT Service Desk at 919.684.2200 for assistance.

Pages