Duke ITSO Alerts

A new phishing attack has been reported this afternoon:



The "click here" link takes the recipient to a Yolasite hosted form:



Please be advised, this is a phishing attack. This is not a legitimate communication from Duke. The purported virus alert if false. Anyone who has received the message, clicked the link, and provided information should contact the OIT Service Desk at 919.684.2200 immediately.

We've recieved reports of another phishing attack taking place.  The email users recieve looks like:



From: Library Alert <alerts@library.com<mailto:alerts@library.com>>
Date: Wednesday, June 25, 2014 at 1:11 PM
Subject: School Article Published

Good Morning,

Your school has successfully posted an article which has been saved in the School Library.

Click here to review the article now<hxxp://acc.msu.ac.th/eng/home/media/school-library.edu.htm>

Note: Your information has been mentioned in the article, comments and notifications will be sent directly to you.

Thank you,

Library Notifications.

Which leads to a login page that looks like:



If you know of anyone who followed the link and may have submitted their credentials to the form, please advise them to contact the service desk to change their password as soon as possible.

A new report of a phishing attack this afternoon:



The attachment in this message pulls up the following form:



Please be advised, submitting the information does not go to a Bank of America owned site.

The following phishing attack from earlier this week, purportedly related to a secure web upgrade, was reported to the ITSO:



The "CLICK HERE" link in the above message redirects the user to a wix.com hosted form:


We ask that anyone who received the message, clicked the link, and supplied Duke credentials to the form seen above to please notify the OIT Service Desk immediately at 919.684.2200

A new report of a phishing attack this morning, while not specifically targetting Duke credentials the hosted form attempts to fool the recipient into supplying banking and other sensitive info including DoB and SSN.


The original email message:


The phishing form (not an Amazon hosted page):



Adobe has released an update addressing vulnerabilities in Adobe Flash:


Adobe Flash - http://helpx.adobe.com/security/products/flash-player/apsb14-16.html


The ITSO advises users and administrators to udpate these applications quickly.  The vulnerabilities in Flash allow for remote code execution.

Microsoft has released 7 updates addressing a whopping 66 vulnerabilities (59 for Internet Explorer).  Two of these updates are rated Critical by Microsoft due to the potential for remote code execution, one of which involves Internet Explorer (MS14-035), fixing a vulnerability that attackers are actively exploiting:


Cumulative Security Update for Internet Explorer (MS14-035)
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (MS14-036)


SANS has released their analysis of the patches, and of course the updates are now available via Microsoft and Windows Update.  We recommend that these patches be deployed as soon as possible.


SANS ISC Diary: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+June+2014/18233
Microsoft Security Bulletin Summary:  https://technet.microsoft.com/library/security/ms14-jun

A report of the following phishing attack was sent to the ITSO in the past few minutes.



Clicking the URL (as shown in the above screenshot) redirects to a compromised site that is hosting a falsified scraping of a Goggle Docs sign on screen (see below):



Please consider the account compromised if you've received this message and clicked the link and supplied any of the potential accounts (Yahoo!, Google, Microsoft, AOL, etc.) and promptly work to change those credentials immediately. Anyone supplying Duke credentials should contact the OIT Service Desk at 919.684.2200 immediately.

We've been notified about another phishing attack that is making the rounds.


From: System [mailto:notifications@system.net]
Sent: Tuesday, June 03, 2014 12:19 PM
Subject: Service Maintenance Alert
Good Morning!

We are pleased to inform you that a scheduled maintenance has been successfully completed.

In order to ensure your account remains active and protected, please confirm your account immediately.

Click here to confirm your account now

We apologize for any inconveniences caused.

The link leads to a blackboard style login page.


Signs that this is not a legitimate login page include the URL which is not a duke URL.

Our office has received reports of Duke Medicine users receiving the following phish:



As of this posting, we have not seen indication of any deliveries to university accounts, though we are still investigating. Luckily, the Form Provider (Yola) has already taken the hosted form down. 


We advise anyone who received the phish, clicked the link, and provided NetID credentials to please notify the OIT Service Desk immediately.