Duke ITSO Alerts

Another phishing attack has been reported this morning. See the message below:

 

 

The "LOGIN" link above takes you to the non-Duke page seen below, an intentional clone of the University WebMail/Email Access page:

 

 

 

If you've received this message, clicked the link, and provided Duke credentials, please contact the OIT Service Desk at 919.684.2200 immediately for assistance.

 

 

Multiple reports of the following phishing attack have been reported this morning (screenshot of the message below):

 

 

As identified in the picture above, the target destination of the URL "CLICK HERE" is a non-Duke domain. Clicking the link takes you to the following page:

 

 

 

As always, if you've received the message, clicked the link, and supplied Duke credentials, please immediately contact the OIT Service Desk at 919.684.2200 for assistance.

Reports of the following phishing attack began coming in during lunch:

 

 

The URL in this message points to a non-Duke domain hosted in Hungary (see screenshot below):

 

 

If you've received this message, clicked the link, and supplied credentials please notify the OIT Service Desk immediately by calling 919.684.2200

Reports of a new phishing attack from early this morning... The following message was forwarded to security:

 

 

Notice the "click here" link does not redirect to a Duke domain, rather a page currently hosted in Argentina. Clicking the link takes you to the following OWA cloned page:

 

 

Depending which browser is used and how settings are configured, you may experience cert notifications warning about security of the site. The following was a warning received during our investigation:

 

 

Again, this site is in no way related to Duke and anyone receiving the message should discard and delete from your inbox. For any who have received this message, clicked the link, and supplied Duke credentials, please notify the OIT Service Desk by calling 919.684.2200 immediately.

Multiple reports of the following phishing attack were reported late yesterday afternoon:

 

 

The URL ("LOGINHERE") redirects to a form hosted on a Belgium domain:

 

 

If you received this message, clicked the link, and supplied Duke credentials, please immediately contact the OIT Service Desk at 919.684.2200 for assistance.

The following phishing attack was reported:

 

 

Following the link in the message directs the user to the following form:

 

 

We ask that any who have received the message, clicked the link, and provided credentials to please notify the OIT Service Desk at 919.684.2200 immediately.

We've received a report of the following phishing attack purportedly related to Duke WebMail.

 

 

The "CLICK MY ACCOUNT" link above will redirect to a non-Duke hosted page (on the t15.org domain) which has been crafted as a clone to the University Email Web Access page. See the screenshot below:

 

 

We ask that anyone who has received the message, clicked the link, and supplied credentials to the page to please notify the OIT Service Desk immediately by calling 919.684.2200

Adobe has released three vulnerabilities addressing vulnerabilities in 3 Adobe products:

 

 

The ITSO advises users and administrators to udpate these applications quickly.  Vulnerabilities in Reader are being actively exploited, and both Reader and Flash have vulnerabilities that allow for remote code execution.

 

 

 

 

 

 

Microsoft has released 6 updates addressing 37 vulnerabilities (25 for Internet Explorer).  Two of these updates are rated Critical by Microsoft due to the potential for remote code execution:

 

  • Cumulative Security Update for Internet Explorer (MS14-051)
  • Vulnerability in Windows Media Center Could Allow Remote Code Execution (MS14-043)

 

The updates are now available via Microsoft and Windows Update.  We recommend that these patches be deployed as soon as possible.

 

Microsoft Security Bulletin Summary:  https://technet.microsoft.com/library/security/ms14-aug
SANS ISC Analysis:  https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+-+August+2014/...

 

 

 

 

 

We've received reports of a phishing message that is targeting Duke
users and asking for Blackboard account info. If you have received this
message, followed the link, and submitted information, please contact
the OIT Service Desk at (919)684-2200 *immediately*.

The emails look like the following:

--------------------------------------------------------

From: Blackboard <driscolai@oregonstate.edu<mailto:driscolai@oregonstate.edu>>
Subject: New Course Online Semester Available
Date: August 8, 2014 at 1:26:58 PM EDT
.
Blackboard System Online Course New Semester Available - (user@duke.edu<mailto:user@duke.edu>)
.
Course: System Announcements
.
New Semester Online Announcements<http://www.wptutions.com/jason/webinar1/blackboardlearn.htm>
.
New Online Course - user@duke.edu<mailto:user@duke.edu>
.
This is an automatically generated notification from Blackboard. You can change your notification settings at any time by going to Settings, Edit Notification Settings<http://www.wptutions.com/jason/webinar1/blackboardlearn.htm>. Please do not reply.

--------------------------------------------------------

Following the link takes you to the following web page. Note that Duke
no longer used Blackboard and the server URL is not HTTPS
(without a padlock icon):

--------------------------------------------------------

Again, anyone who has received this message, followed the link, and
submitted information should *immediately* notify the OIT Service
Desk at (919)684-2200.
 

Pages