Duke ITSO Alerts

We've received notification of a phishing attack purportedly from Blackboard. If you've received a message similar to:

 

 

Please be advised that the message is fraudulant and should be discard. Clicking the "Click to view" link will redirect to the following form:

 

 

We ask that anyone who has received a similar message, clicked the link, and provided NetID credentials to please notify the OIT Service Desk immediately by calling 919.684.2200

A new phishing attack in circulation this morning, purportedly from "Duke Webmail Service" is prompting recipients to click a link to reconfirm account. A screenshot of the message is below:

 

 

The "Follow here" link in that message redirects to a non-Duke page that is a direct clone of the current WebMail/Email Web Access page one at duke might access. Unless one notices the actual URL in the address bar, it would appear legitimate. Please not this is an attack against Duke used to harvest login credentials. A screenshot of the page is below:

 

 

We ask that anyone who received that message, clicked the link, and provided NetID/password info to please contact the OIT Service Desk at 919.684.2200 immediately.

The following Phishing message has been reported.

 

 

Date: April 4, 2014 1:22:04 AM +0530
From: WEB.ADMIN@SUPPORT.NET
To: Recipients <WEB.ADMIN@SUPPORT.NET>
Subject: E-Mail Account Warning.

Dear UserID

Your incoming messages were placed on pending due to our recent upgrade.
Kindly follow the below information link to validate your mailbox and
increase your mailbox quota service.

Click hxxp://help-ugrading-110-889-system.weebly.com/ to get your
mailbox updated.

We apologize for the inconvenience.

Thanks,
The System Administrator Management Team.
Copyright © 2014
 

The following phishing attack has been reported this afternoon:

Clicking on the link in the message takes you to the following non-Duke-hosted login form:

Submitting the form yields the following page:

We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The following phishing attack has been reported this afternoon:

 

 

This message is likely meant to target individuals who are being migrated to Office365 accounts. Please be advised, this is an attack - it is not from Duke. Anyone clicking the "UPGRADENOW" link will be redirected to the following non-Duke OWA mock-up:

 

 

Please notify the OIT Service Desk immediately (919.684.2200) if you have supplied credentials to the form.

The ITSO has begun receiving reports of a new phish that is very likely tied to the attackers attempting to steal credentials to ultimately try modifying direct deposit information. The subject is “Your Salary Raise Details”.   The URL of the message directs to a Russian domain that has cloned our Shibboleth/SSO page (but removed the “You are on the correct Duke sign-in page if the URL above begins withhttps://shib.oit.duke.edu/.” warning). Supplying credentials to that page redirects to a clone of the older Office Web Access page — seen by users who have not migrated to Office365. After supplying credentials to that page, one is finally redirected to duke.edu.
 

Email text:
Hello,

You are qualified for a salary raise on your next paycheck in March, follow the steps below to immediately confirm your details.

Allow few hours for your congratulatory letter to be delivered to your email "DU email"

Click here:

http://support.duke.edu/employee-compensation<http: / /34shkafa.ru/www.duke.edu/employee-compensation.htm>
 

06

 

 

The ITSO has been notified of the following two phishing attacks.  The first one attempts to mimic the Outlook Web login.  Please note the non-Duke URL in the location bar.<BR><P>Subject: New Messge
Date: March 11, 2014 2:26:28 PM EDT
To: Undisclosed recipients:;

E-Mail NOTIFICATION

You Have 1 New Message

Click Here To Read http:/ /past.bghelsinki.org/wp-content/themes/duke.edu.htm

Sincerely,

©2014 Duke University</P>55  

The second phishing attempt is more generic:

 Clicking on the link in the message actually takes you to the following non-Duke-hosted login page:We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The ITSO has been notified of the following phishing attack:

Clicking on the first link in the message actually takes you to the following non-Duke-hosted error page:

Clicking on the second link or the "main page" link on the error page takes you to the following non-Duke-hosted login page:

We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The ITSO has been notified of the following phishing attack:

Clicking on the "CLICK HERE" link takes you to the following non-Duke hosted entry page:

Clicking on any of the service icons brings up a dialog asking for your e-mail address and password. We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The ITSO has been notified of the following phishing attack:

 

 

Clicking on the "Re-Activate My Account" link takes you to the following non-Duke hosted form:

 

 

 

We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

Pages