Duke ITSO Alerts

A new report of a phishing attack this morning, while not specifically targetting Duke credentials the hosted form attempts to fool the recipient into supplying banking and other sensitive info including DoB and SSN.

 

The original email message:

 

The phishing form (not an Amazon hosted page):

 

 

Adobe has released an update addressing vulnerabilities in Adobe Flash:

 

Adobe Flash - http://helpx.adobe.com/security/products/flash-player/apsb14-16.html

 

The ITSO advises users and administrators to udpate these applications quickly.  The vulnerabilities in Flash allow for remote code execution.

Microsoft has released 7 updates addressing a whopping 66 vulnerabilities (59 for Internet Explorer).  Two of these updates are rated Critical by Microsoft due to the potential for remote code execution, one of which involves Internet Explorer (MS14-035), fixing a vulnerability that attackers are actively exploiting:

 

Cumulative Security Update for Internet Explorer (MS14-035)
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (MS14-036)

 

SANS has released their analysis of the patches, and of course the updates are now available via Microsoft and Windows Update.  We recommend that these patches be deployed as soon as possible.

 

SANS ISC Diary: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+June+2014/18233
Microsoft Security Bulletin Summary:  https://technet.microsoft.com/library/security/ms14-jun

A report of the following phishing attack was sent to the ITSO in the past few minutes.

 

 

Clicking the URL (as shown in the above screenshot) redirects to a compromised site that is hosting a falsified scraping of a Goggle Docs sign on screen (see below):

 

 

Please consider the account compromised if you've received this message and clicked the link and supplied any of the potential accounts (Yahoo!, Google, Microsoft, AOL, etc.) and promptly work to change those credentials immediately. Anyone supplying Duke credentials should contact the OIT Service Desk at 919.684.2200 immediately.

We've been notified about another phishing attack that is making the rounds.

 

From: System [mailto:notifications@system.net]
Sent: Tuesday, June 03, 2014 12:19 PM
Subject: Service Maintenance Alert
 
Good Morning!

We are pleased to inform you that a scheduled maintenance has been successfully completed.

In order to ensure your account remains active and protected, please confirm your account immediately.

Click here to confirm your account now

We apologize for any inconveniences caused.

The link leads to a blackboard style login page.

 

Signs that this is not a legitimate login page include the URL which is not a duke URL.

Our office has received reports of Duke Medicine users receiving the following phish:

 

 

As of this posting, we have not seen indication of any deliveries to university accounts, though we are still investigating. Luckily, the Form Provider (Yola) has already taken the hosted form down. 

 

We advise anyone who received the phish, clicked the link, and provided NetID credentials to please notify the OIT Service Desk immediately.

Adobe has released three vulnerabilities addressing vulnerabilities in 3 Adobe products:

 

 

The ITSO advises users and administrators to udpate these applications quickly.  Vulnerabilities in Reader are being actively exploited, and both Reader and Flash have vulnerabilities that allow for remote code execution.

 

SANS ISC Diary: https://isc.sans.edu/forums/diary/Adobe+May+2014+Patch+Tuesday/18115

Microsoft has released 9 updates addressing 14 vulnerabilities.  Three of these updates are rated Critical by Microsoft due to the potential for remote code execution, one of which involves Internet Explorer (MS14-029), fixing a vulnerability that attackers are actively exploiting:

 

  • Security Update for Internet Explorer (MS14-021) - out of band patch
  • Security Update for Internet Explorer (MS14-029)
  • Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (MS12-022)

 

SANS has released their analysis of the patches, and of course the updates are now available via Microsoft and Windows Update.  We recommend that these patches be deployed as soon as possible.

 

SANS ISC Diary: https://isc.sans.edu/forums/diary/Microsoft+May+2014+Patch+Tuesday/18113
Microsoft Security Bulletin Summary:  https://technet.microsoft.com/library/security/ms14-may

A phishing attack in circulation this evening purportedly from the "Duke Technical Team" requests sign-up to help prevent the recipient's email from spreading a new virus. This message should be discarded immediately as it is not from Duke and is solely intended to harvest user credentials. A screenshot of the message is below:

 

 

As you can see above, the target destination is one we've seen in the past (yolasite) and is obviously a non-Duke domain. The ITSO has reported the page and expects it to be taken down soon. In the meantime, a screenshot of the offending form is below:

 

 

As always, we ask that all individuals who've received the message, clicked the link, and supplied credentials to please notify the OIT Service Desk at 919.684.2200 as soon as possible to receive assistance.

We're recieving reports of another phishing attack claiming to be from Blackboard.  As always, we ask that anyone who has received a similar message, clicked the link, and provided NetID credentials to please notify the OIT Service Desk immediately by calling 919.684.2200 .

The messages look similar to the following:

 

And the phishing form is below, though note that the URL is "http: //boardlearn.ye.vc/BB/BB1/BB2/signin.edu.htm"

Pages