Duke ITSO Alerts
A report of the following phishing attack was sent to the ITSO in the past few minutes.
Clicking the URL (as shown in the above screenshot) redirects to a compromised site that is hosting a falsified scraping of a Goggle Docs sign on screen (see below):
Please consider the account compromised if you've received this message and clicked the link and supplied any of the potential accounts (Yahoo!, Google, Microsoft, AOL, etc.) and promptly work to change those credentials immediately. Anyone supplying Duke credentials should contact the OIT Service Desk at 919.684.2200 immediately.
We've been notified about another phishing attack that is making the rounds.
From: System [mailto:email@example.com]
Sent: Tuesday, June 03, 2014 12:19 PM
Subject: Service Maintenance Alert
We are pleased to inform you that a scheduled maintenance has been successfully completed.
In order to ensure your account remains active and protected, please confirm your account immediately.
Click here to confirm your account now
We apologize for any inconveniences caused.
The link leads to a blackboard style login page.
Signs that this is not a legitimate login page include the URL which is not a duke URL.
Our office has received reports of Duke Medicine users receiving the following phish:
As of this posting, we have not seen indication of any deliveries to university accounts, though we are still investigating. Luckily, the Form Provider (Yola) has already taken the hosted form down.
We advise anyone who received the phish, clicked the link, and provided NetID credentials to please notify the OIT Service Desk immediately.
Adobe has released three vulnerabilities addressing vulnerabilities in 3 Adobe products:
- Adobe Reader - http://helpx.adobe.com/security/products/reader/apsb14-15.html
- Adobe Flash - http://helpx.adobe.com/security/products/flash-player/apsb14-14.html
- Adobe Illustrator - http://helpx.adobe.com/security/products/illustrator/apsb14-11.html
The ITSO advises users and administrators to udpate these applications quickly. Vulnerabilities in Reader are being actively exploited, and both Reader and Flash have vulnerabilities that allow for remote code execution.
Microsoft has released 9 updates addressing 14 vulnerabilities. Three of these updates are rated Critical by Microsoft due to the potential for remote code execution, one of which involves Internet Explorer (MS14-029), fixing a vulnerability that attackers are actively exploiting:
- Security Update for Internet Explorer (MS14-021) - out of band patch
- Security Update for Internet Explorer (MS14-029)
- Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (MS12-022)
SANS has released their analysis of the patches, and of course the updates are now available via Microsoft and Windows Update. We recommend that these patches be deployed as soon as possible.
SANS ISC Diary: https://isc.sans.edu/forums/diary/Microsoft+May+2014+Patch+Tuesday/18113
Microsoft Security Bulletin Summary: https://technet.microsoft.com/library/security/ms14-may
A phishing attack in circulation this evening purportedly from the "Duke Technical Team" requests sign-up to help prevent the recipient's email from spreading a new virus. This message should be discarded immediately as it is not from Duke and is solely intended to harvest user credentials. A screenshot of the message is below:
As you can see above, the target destination is one we've seen in the past (yolasite) and is obviously a non-Duke domain. The ITSO has reported the page and expects it to be taken down soon. In the meantime, a screenshot of the offending form is below:
As always, we ask that all individuals who've received the message, clicked the link, and supplied credentials to please notify the OIT Service Desk at 919.684.2200 as soon as possible to receive assistance.
We're recieving reports of another phishing attack claiming to be from Blackboard. As always, we ask that anyone who has received a similar message, clicked the link, and provided NetID credentials to please notify the OIT Service Desk immediately by calling 919.684.2200 .
The messages look similar to the following:
And the phishing form is below, though note that the URL is "http: //boardlearn.ye.vc/BB/BB1/BB2/signin.edu.htm"
A new phishing attack has been identified this evening. Messages appear to have targeted various distribution lists across the university. Luckily, this attack didn't discriminate against the ITSO, see a screenshot sent to our email below:
If you've received the message above, please be advised it is not a legitimate message. Clicking the link will take you to a cloned image of our normal sign in page:
Notice that the target destination of the URL is a non-Duke domain. Anyone who receives this message, clicks the link, and supplies credentials should notify the OIT Service Desk to ensure you're changing your account passwords immediately.
We've received multiple reports this afternoon of phishing attacks purportedly regarding "Webmail Access". If you've received a message similar to the one below, please discard:
This run of attacks has linked to multiple target domains, neither of which are Duke pages:
also, a more convining phish modeled to clone our webmail - email web access page:
Please note the url in both forms, both of which are non-Duke domains. If you've received one of these phishing messages, clicked the link, and supplied credentials please notify the OIT Service Desk immediately by calling 919.684.2200
We've received notification of a phishing attack purportedly from Blackboard. If you've received a message similar to:
Please be advised that the message is fraudulant and should be discard. Clicking the "Click to view" link will redirect to the following form:
We ask that anyone who has received a similar message, clicked the link, and provided NetID credentials to please notify the OIT Service Desk immediately by calling 919.684.2200