Duke ITSO Alerts

The Duke University IT Security Office has received multiple notifications of a recent Phishing email that is circulating through the Duke community. If you have received this email, clicked on the link and provided your username and password then we recommend that you contact the OIT Service Desk at 919-684-2200 and they can assist you in updating your information.

 

Below is the email that is being seen:

 

 

The link in the email redirects to a site that was hosted at wix.com which appears to have already been removed.

 

If you received the message, clicked the link, and supplied credentials, please notify the OIT Service Desk at 919.684.2200.

The Duke University IT Security Office has received multiple notifications of a recent Phishing email that is circulating through the Duke community. If you have received this email, clicked on the link and provided your username and password then we recommend that you contact the OIT Service Desk at 919-684-2200 and they can assist you in updating your information.

Below is the email that is being seen

 

.

 

The link in the email redirects to a site that is hosted at dd-racing.com.

 

Duo Product Security Advisory

Advisory ID: DUO-PSA-2015-002

Publication Date: 2015-04-06

Revision Date: 2015-04-06

Status: Fixed

Document Revision: 1
 

Overview
 

Duo Security has identified an issue in recent versions of Duo Mobile for iOS that could allow attackers to perform a successful Man-in-the-Middle (MITM) attack against the app's TLS connections, if they can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service.

This issue has been fixed in Duo Mobile 3.7.1; all iOS users should update as soon as possible.
 

Affected Product(s)
 

Duo Mobile for iOS, versions 3.4 - 3.7

Solution
 

Duo Mobile 3.7.1 was published to the iTunes App Store on April 6, 2015. This version ensures that certificate domain-name validation is performed for all TLS connections.

Users should upgrade to this version immediately to prevent the issues described above. Note that administrators can audit their users' Duo Mobile app versions in the "phones" section of the Duo administrative interface.

As noted above, there is a small risk that users' Duo Mobile credentials could be compromised, if an attacker captured network traffic from Duo Mobile during account setup. After users have upgraded, administrators may choose to forcibly invalidate any existing credentials by re-activating users' Duo Mobile accounts in the administrative interface.

 

 

The Duke University IT Security Office has received multiple notifications of a recent Phishing email that is circulating through the Duke community. If you have received this email, clicked on the link and provided your username and password then we recommend that you contact the OIT Service Desk at 919-684-2200 and they can assist you in updating your information.

 

Below is the email that is being seen.
----------------------------------
From: dderidder @mweb. co. za <dderidder @mweb. co. za>
Sent: Thursday, April 2, 2015 1:54 PM
To: "Undisclosed-Recipient:;"@domain.invalid
Subject: Admin
 
Your duke.edu account has been temporally suspended, and this means that you  will not be able to send and receive new email messages. This is because of the  on-going yearly web maintenance and deleting of inactive  duke.edu accounts. You are then requested to verify your  duke.edu  account below for upgrading.
 
Click Or Open this link to VERIFY your Account: CLICK HERE??????????<hXXp:// emailvalidation81. weebly. com>
------------------------------------

The link in the email redirects to a site that is hosted at hXXp:// emailvalidation81. weebly. com.

The Duke University IT Security Office has received multiple notifications of a recent Phishing email that is circulating through the Duke community. If you have received this email, clicked on the link and provided your username and password then we recommend that you contact the OIT Service Desk at 919-684-2200 and they can assist you in updating your information.

Below is the email that is being seen.

The link in the email redirects to a site that is hosted at gpgac.com.

Overnight and early this morning, Duke has seen an increase in reported phishing attacks. Screenshots of a couple of attacks are posted below:

 

If you receive a suspicious message, please forward the original message in it's entirety to security@duke.edu following the steps identified below:

1 - Open a new email in Outlook

2 - Address the new email to security@duke.edu

3 - Enter Subject "Suspected Phishing Email – Subject: New Upgrade"

4 - Drag & Drop the original email from your Inbox/Deleted Items folder into the body of the new email - This will create an attachment

5 - Send

 

This will facilitate a full forensic analysis of the origin and contents of the email.

 

As always, anyone who receives this type of message, clicks the link(s), and enters NetID/password should immediately contact the OIT Service Desk at 919.684.2200 for assistance.

 

Various reports are coming in this afternoon pertaining to a new run of phishing emails. The subjects are varied, though the majority contain the words "New Message" in the Subject line (variants include, but are not limited to:  Good Afternoon :- New Message AND DUKE :- New Message). A screen capture of one such message is seen below:

 

 

If you've received a similar message, clicked links, and supplied credentials to the hosted login forms, please notify the OIT Service Desk immediately by calling 919.684.2200

Reports are coming in this afternoon of a 2 new phishing attacks with the subject lines:  "New Message" and "HELLO". While slightly different in wording, and different target destinations, both links ultimately redirect to the same OWA cloned login page. See a copy of the messages below:

 

and

 

The target destination of each (either directly linked or redirect) points to a cloned Exchange/Outlook Web App (OWA) login page:

 

 

If you received the message, clicked the link, and supplied credentials, please notify the OIT Service Desk at 919.684.2200

The Information Security Offices at Duke are receiving multiple reports this morning of a new phishing attack. A screen capture of the email is shown below:

Visiting the "Download voice mail" link delivers a zip file containing malware, without presenting a website.

We ask that anyone who receives this message, clicks the link, and supplies credentials to immediately notify the OIT Service Desk at 919.684.2200 for assistance.

The Information Security Offices at Duke are receiving multiple reports this morning of a new phishing attack. A screen capture of the email is shown below:

 

 

Visiting the link referenced in the message above takes one to the following (non-Duke) hosted login form:

 

 

We ask that anyone who receives this message, clicks the link, and supplies credentials to immediately notify the OIT Service Desk at 919.684.2200 for assistance.

Pages