IT Security Office

Duke IT Security Office:

Phishing Attack Targeting Duke (April 18)

Over the past several days, Duke's Office of Information Technology (OIT) and the IT Security Office have detected several major phishing attacks aimed at the Duke community.

The messages appear to be about a Duke account and ask Duke users to click on the links in the message. These links take the user to a non-Duke site to enter their netID and password. If the netID and password are supplied, the attacker logs into the email account and uses it to send thousands of messages to other people and institutions. Samples of the messages are provided below.

The IT Security Office offers the following reminders about handling suspicious messages:

Remember that Duke will NEVER ask for your password or information about your account in an email.
Do NOT click on any links in suspicious messages. The links that are in messages such as these phishing attempts could end up trying to install malware on your computer or coerce you to give up your account information.
If you get an email message that looks to be a scam, please visit the Sophos site for instructions on how to upload the message. Uploading the message helps Duke’s anti-spam appliances gather better information on what to mark as spam or scam. (http://www.sophos.com/support/knowledgebase/article/23113.html)

If you have supplied any information on a website after clicking on links in a suspicious email message please contact the OIT Service Desk immediately.

OIT Service Desk:

(919) 684-2200
help@oit.duke.edu
http://oit.duke.edu/help/

Sample 1 - Account Notification Fraudulent Message

Sample 2 - Account Disabled Fraudulent Message

Sample 3 - Fraudulent Website Requesting Credentials

Phishing Attack Targeting Duke Exchange / Outlook Web App (OWA) Users (April 16, 2013)

A new phishing attack targeting Duke Exchange / Outlook Web App (OWA) users is circulating this afternoon. The message looks like the following:

From: Duke University <account@duke.edu>
Date: Tuesday, April 16, 2013
Subject: New Message
To: undisclosed-recipients:

ACCOUNT NOTIFICATION

You Have 1 New Message

Click Here To Read (redirect to non-Duke url)

Sincerely,

Duke University

If you click on the link, you are taken to a non-Duke site that models our own Outlook Web App page. This is not a legitimate email and should be discarded immediately.

If you supplied any information to this form, please contact the OIT Service Desk or the Duke IT Security Office immediately.

OIT Service Desk:

(919) 684-2200

Duke IT Security Office:

A screenshot of the redirect is provided below:

Phishing Attack - Tax Return Scam (April 10, 2013)

A new phishing attack was reported over the evening which is purportedly offering additional tax refunds after a discovered calculation error. The message instructs toward creating an e-Refund account so that the claim may be submitted and funds deposited directly into a specified banking account. This particular scam appears to have already been addressed as the redirect in the message is currently inaccessible, most likely taken down by the hosting party. Still this brings attention to the potential for well crafted scams targeting our desire to cash in on additional refunds as we all file yearly taxes. If you see any messages that look suspicious, please contact the Service Desk and/or the IT Security Office before providing any type of sensitive information that could be potentially harmful.

This particular message appeared as the following (again the url redirect is down so we have no screenshots to verify the form or requested info):

> From: IRS Online <reminde@irsm.com>
> Subject: Final reminder: Notice of Tax Return
> Date: April 10, 2013 4:55:02 PM EDT
> To: undisclosed-recipients: ;
> Reply-To: noreply@irsm.com
>
>
> 04/10/2013
> Referance: I3H583326/13
>
> Claim Your Tax Refund Online
> Dear Taxpayer,
>
> We identified an error in the calculation of your tax from the last payment, amounting to $ 319.95.
>
> In order for us to return the excess payment, you need to create a e-Refund account after which the funds will be credited to your specified bank account.
>
>
> Please click "Get Started" below to claim your refund:
>
> Get Started

OIT Service Desk:
(919) 684-2200
help@oit.duke.edu
http://oit.duke.edu/help/

Duke IT Security Office:
security@duke.edu

Phishing Attack Targeting Duke WebMail Users (March 27, 2013)

A new phishing attack targeting Duke WebMail users is circulating this morning. The message looks like the following:

From: "it_support@duke.edu" <hlthservice@gmail.com>

Date: Wednesday, March 27, 2013

Subject: Duke WebMail Update

To: undisclosed-recipients:

The Duke Webmail system and calendar services have been updated.

Please visit the updated WebMail for information and instructions on how to access your email.

Access your email via the web using the DukeMail

Duke University email users can access their accounts via this web interface.

This interface provides:

a single access point for DukeMail and departmental and school email systems (For Web Access https://webmail.duke.edu).
Beginning on Tuesday, March 27th, 2012, the new webmail application becomes the default for all users.
increased security
two-column and three-column views of mailbox contents
drag-and-drop handling of messages
selection of multiple messages for deletion or filing
full rich-text formatting
management of group email accounts
management of multiple "from" email addresses

If you need additional help with the web mail interface, please contact the OIT Service Desk.

For more information about using the webmail interface, see the OIT website.

If you click on the link, you are taken to a non-Duke site (on the une.me domain) that models our own Email Web Access page asking for credentials. This is not a legitimate email and should be discarded immediately.

If you supplied any information to this form, please contact the OIT Service Desk or the Duke IT Security Office immediately.

OIT Service Desk:

(919) 684-2200

Duke IT Security Office:

Dept. of Homeland Security Ransomware Warning

From US-CERT:

US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware falsely claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division.

Phishing Attack Targeting Duke Email Users (March 20, 2013)

This morning an attacker launched a phishing attack targeting Duke email users. The message looks like the following:

From: Duke University
Date: Wednesday, March 20, 2013
Subject: Duke Account Alert,
To: Recipients <oit@duke.edu>

This E-mail been sent to you by the Duke Email Web Verification Team to inform you that your account will be deactivated within the next 24 hours if not verified by us, this is due to several unsuccessful log in attempt on your account.

To prevent this from happening please log in securely to our activation link below and fill out the required field.

For immediate access, please CLICK HERE to validate your account:

If you have already confirmed your information then please disregard this message

Sincerely,
Duke OIT Services Desk.
========================================================================
Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

If you click on the link, you are taken to a non-Duke site and asked for various account information. The site is a ZoHo Creator form which has been reported to their customer support requesting it be taken down as quickly as possible.

If you supplied any information to this form, please contact the OIT Service Desk or the Duke IT Security Office immediately.

OIT Service Desk:

(919) 684-2200

Duke IT Security Office: