Duke ITSO Alerts

The IT Security Office is receiving reports of a very well done and very targetted phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is a phishing attack and should be discarded immediately.   If you saw a similar email and submitted your username and password to the form, please contact the service desk to change your password immediately.   Note that the link points to the shib.oit.duke.edut.in domain, not to shib.oit.duke.edu.  The duke.edut.in domain is designed to look like duke.edu at a glance.
 
The email below was received by a Duke researcher.  The email referenced the user by name and referenced articles specific to that users.

If you received an email like this one, please forward a copy of the email as an attachment to security@duke.edu.  We would like to see all of the possible variations of this message.
 
-----------------------------------------

From: Margot Schofield <M.Schofield@latrobe.edu.au>
To: "xxxxx@duke.edu" <xxxxxx@duke.edu>
Subject: Re:
Date: Thu, 9 Oct 2014 16:18:25 +0000
 
Hi
 
Dear Dr. XXXXXX
 
I recently read your good article: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" It's very useful in my field of research.
I wonder, if possible, to send me these articles to use in my current research:
 
1- http://shib.oit.duke.edut.in/idp/login.php?url=hxxp://www.sciencedirect....
article/pii/xxxxxxxxxxxxxxxxxx<http://shib.oit.duke.edut.in/idp/login.php?url=hxxp://www.sciencedirect....
 
2-http://www.sciencedirect.com/science/article/piixxxxxxxxxxxxxxxxx
 
Thanks for you Cooperation in Advance.
 
.............................................................
Prof Margot Schofield
La Trobe University VIC 3086 Australia
Ph: 61 3 9479 3702; Fax: 61 3 9479 1783
---------------------------------------------------------------------------------------
 
Here is the phishing form that the links in the email point to.  Note that it is a clone of the real Duke login page and that the only identifier that this is not the legitimate page is the domain in the URL: edut.in.
 

The IT Security Office is receiving reports of a phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is a phishing attack and should be discarded immediately.  Note that the link points to the .com.br domain, not to a duke.edu domain.

 


 


 

The IT Security Office is receiving reports of a phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is an attack and should be discarded immediately.  Note that the link points to a website in Chile (based on the .cl suffix).

 


 


 

The IT Security Office is receiving reports of a phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is a phishing attack and should be discarded immediately.

 


 


 

The IT Security Office is receiving reports of a phishing attack aimed at Duke users.  If you've received a message similar to the one below, please be advised that it is a phishing attack and should be discarded immediately.  Note that the link points to the wix.com domain, not to a duke.edu domain.
----------------------------------------------------------
 
From: Gardner, Al [mailto:Al.Gardner@nov.com]
Sent: Tuesday, September 30, 2014 7:46 AM
To: Gardner, Al
Subject: RE: MAILBOX IS FULL
 
 
________________________________
From: Gardner, Al
Sent: Tuesday, September 30, 2014 4:21 AM
Subject: MAILBOX IS FULL
Your mailbox is almost full.
2426MB                       2500MB
Current size Maximum size
Please CLICK HERE<http://collinsfestus0.wix.com/help-desk> to reduce your mailbox size and increase the size to 3500MB.
 
 

-----------------------------------------------------------

 

The IT Security Office is receiving reports of a phishing attack aimed at Duke Sakai users.  If you've received a message similar to the one below, please be advised that it is an attack and should be discarded immediately.  Note that the link points to a website in the UK (based on the .uk suffix) and that the email includes the recipient's name on the text of the message.

------------------------------------------
From: Duke Sakai [mailto:aaili@duke.edu]
Sent: Thursday, September 18, 2014 9:13 AM
To: Duke User
Subject: Online Notice-Must Read!(Duke Sakai)
 
Duke Sakai Faculty, Staff and Students - duke.user@duke.edu
A new upgrade has been installed in your account (duke.user@duke.edu) Duke Sakai Services system.
Please kindly update your email for active using.
Duke University Update Status<http://www.fashionology.co.uk/wp-admin/includes/onlinelearn.htm>
You will receive a notification at least 48 hours before your mailbox is due to be migrated.
 
Thank you,
Duke University Network and System Services
------------------------------------------

The link in the email points to a clone of a BlackBoard login page.  Note the URL in the location bar.

We've received reports of a BlackBoard associated phishing attack. If you've received a message similar to the one below, please be advised that it is an attack and should be discarded immediately.  Note that the link points to a Hungarian website (based on the .hu suffix) and that the email includes the recipient's name on the text of the message.

--------------------------------------------------------------------

From: ICT Duke [mailto:nbarbe@duke.edu]
Sent: Tuesday, September 16, 2014 5:22 PM
To: Duke User
Subject: ICT SERVICE CENTRE UPDATE Online

ICT SERVICE CENTRE Duke - (Duke.User@duke.edu<mailto:baoinin1@126.com>)

New update on your online course for this semester, Duke University System update all user server

Click Here to Get the latest Update<http://szegedkkse.hu/layouts/joomla/editors/oit.duke.htm>.

Duke University System

--------------------------------------------------------------------

The link in the email points to a clone of a BlackBoard login page.  Note the URL in the location bar.

We've received a few reports of the following phishing attack:

 

 

 

The "LOGIN" link above redirects to the following non-Duke hosted form (used to steal credentials):

 

 

If you've received the message shown above, clicked the "LOGIN" link, and supplied credentials to the form, please immediately notify the OIT Service Desk at 919.684.2200

See below for a newly reported phishing attack targeting Duke:

 

 

The "CLICK HERE" link seen above redirects to the following form:

 

 

The form has been reported for abuse and will hopefully be taken down as soon as possible. In the meantime, anyone who receives the message, clicks the link, and supplies credentials should immediately notify the OIT Service Desk at 919.684.2200

Reports of a BlackBoard associated phishing attack have been circulating across campus this afternoon. If you've received a message similar to the one below, please be advised that it is an attack and should be discarded immediately:

 

 

As indicated above, the redirect points to a non-Duke domain hosting the form seen below:

 

 

 

Again, this is a fraudulent message and is not a valid BlackBoard login page. If you've received this message, clicked the link, and supplied credentials, please notify the OIT Service Desk immediately by calling 919.684.2200.

Pages