Duke ITSO Alerts

We've received reports of a phishing message that is targeting Duke users and asking for Duke account info. If you have received this message, followed the link, and submitted information, please contact the OIT Service Desk at (919)684-2200 *immediately*. The emails look like the following:
--------------------------------------------------------

--------------------------------------------------------
Following the link takes you to the following web page. Note that the server address is *not* a Duke address and the URL is not HTTPS (without a padlock icon):
--------------------------------------------------------

--------------------------------------------------------
Again, anyone who has received this message, followed the link, and submitted information should *immediately* notify the OIT Service Desk at (919)684-2200.

Another phishing attack reported during lunch today, purportedly from "Library Resources" is captured below:

 

 

Clicking the link in this message redirects the recipient to the following non-Duke hosted form:

 

 

We strongly advise anyone who has received the message, clicked the link, and supplied credentials to immediately notify the OIT Service Desk at 919.684.2200

A phishing attack targeting staff and faculty has been reported. A screen capute of the email text can be seen below:

 

 

Clicking the links in that message will direct the recipient to the non-Duke hosted form seen below:

 

 

We strongly advise anyone who has received the message, clicked the link, and supplied credentials to immediately notify the OIT Service Desk at 919.684.2200

We've received reports of a new phishing message that is targeting Duke users and asking for Duke account info. If you received this message, clicked on the link, and provided information please contact the OIT Service Desk at (919) 684-2200 immediately. 

The emails look like the following:

--------------------------------------------------------

--------------------------------------------------------

Following the link takes you to the following web page (Note that the server address is *not* a Duke address and the URL is not HTTPS, without a padlock icon):

 

 

Anyone who has received the message, clicked the link, and supplied credentials should immediately notify the OIT Service Desk at 919.684.2200

We've recieved reports of a new phishing message that is specifically targetting Duke users and is asking for bank account info.  If you received this message, clicked on the link, and provided information please contact the OIT Service Desk at (919) 684-2200 immediately. 

The emails look like:

----------------------------------------------

 

From: DUKE-HR <employeebenefits@duke.edu<mailto:employeebenefits@duke.edu>>
Date: July 19, 2014 at 11:54:32 EDT
Subject: Important Salary Update

Hello,

The University is having a salary increment program again this year with an average of 2.5%

The Human Resources department evaluated you for a raise on your next paycheck.

Click below to confirm and access your salary revision documents:

Click Here <hxxp://dk42.ru/www.duke.edu/Login.htm> to access the documents

Sincerely,

Human Resources

Duke University

--------------------------------------------------

 

The link in the page (note that the url points to a Russian server instead of http://duke.edu/) points to a page that looks like the following.

Note the field asking for bank account info.

Microsoft has released 6 updates addressing  29 vulnerabilities (25 for Internet Explorer).  Two of these updates are rated Critical by Microsoft due to the potential for remote code execution:

 

Cumulative Security Update for Internet Explorer (MS14-037)
Vulnerability in Windows Journal Could Allow Remote Code Execution (MS14-038)

 

The updates are now available via Microsoft and Windows Update.  We recommend that these patches be deployed as soon as possible.

 

Microsoft Security Bulletin Summary:  https://technet.microsoft.com/library/security/ms14-jul

Wordpress 3.8.2 has been released, addressing 5 security issues and 9 bugs.  Wordpress is advising to update sites immediately.  From the release:

 

This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and fixed by Jon Cave of the WordPress security team.

 

It also contains a fix to prevent a user with the Contributor role from improperly publishing posts. Reported by edik.

 

This release also fixes nine bugs and contains three other security hardening changes:

 

Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.

 

Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.

 

Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.

 

 

A new phishing attack has been reported this afternoon:

 

 

The "click here" link takes the recipient to a Yolasite hosted form:

 

 

Please be advised, this is a phishing attack. This is not a legitimate communication from Duke. The purported virus alert if false. Anyone who has received the message, clicked the link, and provided information should contact the OIT Service Desk at 919.684.2200 immediately.

We've recieved reports of another phishing attack taking place.  The email users recieve looks like:

 

-----------------------------------------

From: Library Alert <alerts@library.com<mailto:alerts@library.com>>
Date: Wednesday, June 25, 2014 at 1:11 PM
Subject: School Article Published

Good Morning,

Your school has successfully posted an article which has been saved in the School Library.

Click here to review the article now<hxxp://acc.msu.ac.th/eng/home/media/school-library.edu.htm>

Note: Your information has been mentioned in the article, comments and notifications will be sent directly to you.

Thank you,

Library Notifications.
----------------------------------------------

Which leads to a login page that looks like:

 


 

If you know of anyone who followed the link and may have submitted their credentials to the form, please advise them to contact the service desk to change their password as soon as possible.

A new report of a phishing attack this afternoon:

 

 

The attachment in this message pulls up the following form:

 

 

Please be advised, submitting the information does not go to a Bank of America owned site.

Pages