Duke ITSO Alerts

A new phishing attack has been identified this evening. Messages appear to have targeted various distribution lists across the university. Luckily, this attack didn't discriminate against the ITSO, see a screenshot sent to our email below:

 

 

If you've received the message above, please be advised it is not a legitimate message. Clicking the link will take you to a cloned image of our normal sign in page:

 

 

Notice that the target destination of the URL is a non-Duke domain. Anyone who receives this message, clicks the link, and supplies credentials should notify the OIT Service Desk to ensure you're changing your account passwords immediately.

We've received multiple reports this afternoon of phishing attacks purportedly regarding "Webmail Access". If you've received a message similar to the one below, please discard:

 

 

This run of attacks has linked to multiple target domains, neither of which are Duke pages:

 

 

also, a more convining phish modeled to clone our webmail - email web access page:

 

 

Please note the url in both forms, both of which are non-Duke domains. If you've received one of these phishing messages, clicked the link, and supplied credentials please notify the OIT Service Desk immediately by calling 919.684.2200 

 

 

We've received notification of a phishing attack purportedly from Blackboard. If you've received a message similar to:

 

 

Please be advised that the message is fraudulant and should be discard. Clicking the "Click to view" link will redirect to the following form:

 

 

We ask that anyone who has received a similar message, clicked the link, and provided NetID credentials to please notify the OIT Service Desk immediately by calling 919.684.2200

A new phishing attack in circulation this morning, purportedly from "Duke Webmail Service" is prompting recipients to click a link to reconfirm account. A screenshot of the message is below:

 

 

The "Follow here" link in that message redirects to a non-Duke page that is a direct clone of the current WebMail/Email Web Access page one at duke might access. Unless one notices the actual URL in the address bar, it would appear legitimate. Please not this is an attack against Duke used to harvest login credentials. A screenshot of the page is below:

 

 

We ask that anyone who received that message, clicked the link, and provided NetID/password info to please contact the OIT Service Desk at 919.684.2200 immediately.

The following Phishing message has been reported.

 

 

Date: April 4, 2014 1:22:04 AM +0530
From: WEB.ADMIN@SUPPORT.NET
To: Recipients <WEB.ADMIN@SUPPORT.NET>
Subject: E-Mail Account Warning.

Dear UserID

Your incoming messages were placed on pending due to our recent upgrade.
Kindly follow the below information link to validate your mailbox and
increase your mailbox quota service.

Click hxxp://help-ugrading-110-889-system.weebly.com/ to get your
mailbox updated.

We apologize for the inconvenience.

Thanks,
The System Administrator Management Team.
Copyright © 2014
 

The following phishing attack has been reported this afternoon:

Clicking on the link in the message takes you to the following non-Duke-hosted login form:

Submitting the form yields the following page:

We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The following phishing attack has been reported this afternoon:

 

 

This message is likely meant to target individuals who are being migrated to Office365 accounts. Please be advised, this is an attack - it is not from Duke. Anyone clicking the "UPGRADENOW" link will be redirected to the following non-Duke OWA mock-up:

 

 

Please notify the OIT Service Desk immediately (919.684.2200) if you have supplied credentials to the form.

The ITSO has begun receiving reports of a new phish that is very likely tied to the attackers attempting to steal credentials to ultimately try modifying direct deposit information. The subject is “Your Salary Raise Details”.   The URL of the message directs to a Russian domain that has cloned our Shibboleth/SSO page (but removed the “You are on the correct Duke sign-in page if the URL above begins withhttps://shib.oit.duke.edu/.” warning). Supplying credentials to that page redirects to a clone of the older Office Web Access page — seen by users who have not migrated to Office365. After supplying credentials to that page, one is finally redirected to duke.edu.
 

Email text:
Hello,

You are qualified for a salary raise on your next paycheck in March, follow the steps below to immediately confirm your details.

Allow few hours for your congratulatory letter to be delivered to your email "DU email"

Click here:

http://support.duke.edu/employee-compensation<http: / /34shkafa.ru/www.duke.edu/employee-compensation.htm>
 

06

 

 

The ITSO has been notified of the following two phishing attacks.  The first one attempts to mimic the Outlook Web login.  Please note the non-Duke URL in the location bar.<BR><P>Subject: New Messge
Date: March 11, 2014 2:26:28 PM EDT
To: Undisclosed recipients:;

E-Mail NOTIFICATION

You Have 1 New Message

Click Here To Read http:/ /past.bghelsinki.org/wp-content/themes/duke.edu.htm

Sincerely,

©2014 Duke University</P>55  

The second phishing attempt is more generic:

 Clicking on the link in the message actually takes you to the following non-Duke-hosted login page:We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The ITSO has been notified of the following phishing attack:

Clicking on the first link in the message actually takes you to the following non-Duke-hosted error page:

Clicking on the second link or the "main page" link on the error page takes you to the following non-Duke-hosted login page:

We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

Pages