Duke ITSO Alerts
Reports have just begun to come in about a new phishing attack purportedly from the "IT Service Desk". Please be advised, this is a fraudulent email and is not from OIT.
The "CLICK HERE" URL redirects to the following Jimdo Form (subdomain: outlookmonx) which has been reported to Jimdo's abuse department:
If you've provided credentials, please contact the OIT Service Desk at 919.684.2200 immediately.
We've received at least one report of a "Mail Update" phishing attack. Please be advised, this is not an official communication from OIT regarding your Email. Please delete and discard immediately.
A screenshot of the message and hosted form are below:
If you received the above message, clicked the link, and provided personal information, please contact the OIT Service Desk immediately at 919.684.2200
This morning, our office has received several reports of various emails purporting to offer faculty and staff financial assistance in the form of personal loans and/or cash advances. We've seen slight iterations in the sender/reply-to addresses, subject, body, and destination URLs of the messages yet the basic premise is the same. Below is one example:
Examples of the interations across emails are as follows:
Each domain seems to have been created/registered on September 23rd. We suggest these emails be discarded and deleted as they are in no way related to HR offerings. For any questions, please contact the OIT Service Desk at 919.684.2200
We've received reports of the following email which purports to be an official alert from the FBI:
The file is still under investigation. It could simply contain text pointing to another destination URL or it could contain a malicious payload. Nevertheless the email is fraudulant and should be discarded. If you've accessed the file, please report to your local IT and/or to the OIT Service Desk.
We're seeing another run of fraudulent Wells Fargo phishing attacks:
Please be warned, the destination (smyksc com) is in no way tied to Wells Fargo.
If you supply any credentials to this form, please report immediately to the OIT Service Desk.
The following phishing attack was reported:
The non-Duke target displays the following form used to harvest private information:
If you have supplied info to this form, please contact the OIT Service Desk at 919.684.2200
We've received a few reports in the last hour of individuals who've received an email purporting to be an eFax message. The email contains a link to supposedly view the fax online; however, the destination address points to a different location and a malicious zip file download (currently 7/46 VirusTotal).
If you've received a message similar to the following, please be wary of the file download. If you've downloaded the file and attempted to open, please report the incident to either local IT support or the OIT Service Desk.
Periodically we receive reports of phishing attacks that aren't specifically targeting Duke but are still of concern to our communities. We've reported on similar attacks in the past. Monday, 9/9, we saw purported Wells Fargo Customer Support emails. These types of attacks are generally meant to gleam financial/banking accounts but while some may share credentials between accounts, there is the possibility of providing both banking and Duke credentials.
The email(s) circulating on Monday appeared as the screenshot below:
As noted by the captured mouse over of the hyperlink, the destination is a Russian domain that is obviously not associated with Wells Fargo. The destination appears to be down and therefore we could not capture the form. We do advise anyone who may have seen this email and visited the link to provide credentials to immediately update their account info related to the info provided. If your account info shares Duke credentials, we ask that you please contact the OIT Service Desk at 919.684.2200 to gain assistance with updating Duke accounts.
A new run of phishing emails has been circulating this afternoon. These messages seem to target faculty & staff members in hopes of gaining credentials by purporting to re-validate accounts. See the email below:
The destination address appears to be another Jimdo form.
We strongly encourage any who are able to click through to the form (and who have provided credentials) to contact the OIT Service Desk immediately.
The following email was reported today:
Clicking the link will prompt an infected file download and should be avoided. Please contact local IT support or the OIT Service Desk if you have received this email and accessed the file after downloading it via the link.