Duke ITSO Alerts

We received multiple notifications this morning about emails purportedly from Delta Airlines regarding a credit card purchase of tickets for an upcoming flight. In the two different messages seen so far, two different links are provided. The first link, supposedly pointing to the location to download and print off tickets, is in both cases pointing to non-Delta sites linking to .ZIP files suspected to contain malicious payloads. If you receive a message simliar to either posted below, please disregard immediately.

 

 

 

For anyone who has accessed the link, downloaded the .zip file(s), and tried to access, we ask that you please notify local support and/or the OIT Service Desk as we strongly suspect the payloads to contain malware.

As tax season approaches, we want to make sure to raise awareness around the inevitable influx of scams regarding refunds. As such, yesterday we began to see messages. If you received a similar message to the one below, purportedly from the "Australian Commissioner", please disregard as the message is not legitimate:

 

 

If you receive such a message and provide credentials related to a Duke account, please contact the OIT Service Desk at 919.684.2200

SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities

https://drupal.org/SA-CORE-2014-001

 

Posted by Drupal Security Team on January 15, 2014 at 7:33pm
Advisory ID: DRUPAL-SA-CORE-2014-001
Project: Drupal core
Version: 6.x, 7.x
Date: 2014-January-15
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities
Description
Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.
 

Microsoft has released four security bulletins, one of which is marked Critical along with three Important addressing seven vulnerabilities in Microsoft Windows and office.

 

http://technet.microsoft.com/en-us/security/bulletin/ms14-Jan

 

Adobe also released security updates for Flash Player and Reader/Acrobat.

 

http://helpx.adobe.com/security/products/flash-player/apsb14-01.html

http://helpx.adobe.com/security/products/flash-player/apsb14-02.html

The ITSO has been notified of a phishing attack purportedly from the "Help Desk". If you've received a message similar to the one below, please note that it is not from Duke:

 

 

Clicking the link above redirects to a non-Duke (this is not a "Help Desk" at Duke page):

 

 

 

If you received the message above, please do not click through to the page above and do not offer any credentials. Also, please notify the OIT Service Desk at 919.684.2200 immediately.

 

Another phishing attack was reported this afternoon. The message below is a repeat of an attack identified earlier this month:

 

 

Clicking the "access-page" points you to a non-Duke hosted form on the bravesites domain. As of this posting that form has been suspended so there is no screenshot of the form.

 

We're asking that anyone who received the message, clicked the link, and provided credentials pleas notify the OIT Service Desk immediately at 919.684.2200

 

Update (1/16):

We're seeing an influx of the same attack - "quota" related message - coming from various location and various compromised accounts. Each message seems to link to a newly hosted form and the attackers are using different domains. The most recent, seen this morning links to a Google Docs file. We've submitted an abuse complaint to Google but until they address the complaint, the form will remain accessible. Please be advised that this is not legitimate communication coming from Duke.

 

 

 

The IT Security Office was notified of a phishing attack purporting to be from Apple, see a screenshot of the message below:

 

 

This "Verify Billing" links you to the non-Apple related form (shown below):

 

 

If you've received the message, clicked the link, and provided information please contact the OIT Service Desk at 919.684.2200

A report of the following phishing attack was received earlier this morning:

 

 

If you've received this message and click through to the "access-page" link, you'll be prompted with the following form designed to harvest credentials (notice the non-Duke site):

 

 

We ask that anyone who has received the message, clicked the link, and provided account info to please contact the OIT Service Desk immediately at 919.684.2200

We've received multiple reports this evening of a phishing attack purporting to be related to a webmail upgrade related to "spam arrest software". This email should be discarded as it is not legitimate and the link redirects to a non-Duke hosted form, intended to harvest credentials. See the screenshot below for an example of the message:

 

 

The phpforms link takes you to this page:

 

 

We ask that anyone who has received the message, clicked the link, and supplied info to the form to please contact the OIT Service Desk immediately at 919.684.2200

We've received reports of a phishing attack purporting to be a "compulsory employee account verification" which redirects the recipient to an out-of-country, non-Duke hosted form created to harvest credentials. If you've received an email similar to the one shown below, please discard immediately:

 

 

Clicking that link will take you to the following form:

 

 

We ask that anyone who received the message, clicked the link, and provided credentials to contact the OIT Service Desk immediately at 919.684.2200 

Pages