Duke ITSO Alerts

We've received multiple reports of the following phishing attack, purporting to be from the "IT Service Desk" instructing the recipient to upgrade their email account. If you've received the following email, please discard immediately:



Clicking the link in that message will redirect you to the following page, designed to harvest credentials:



If you received the message above, visited the form above, and entered your credentials, please notify the OIT Service Desk immediately at 919.684.2200

Reports of a new phishing attack are circulating across campus. Messages with the subject: "Portal update notice" are claiming that recipients are required to login to confirm membership. If you receive a message similar to the screenshot below, please discard immediately:



Mousing over the "login to update your account" URL points to a bit.ly shortened URL. The non-Duke target address resides on the Brazil (.br) domain space. Clicking the link will redirect you to the following form:



Again, this site is not affiliated with Duke and is an attack to harvest NetID credentials. If you've visited the site and attempted to login, please notify the OIT Service Desk immediately at 919.684.2200

We're receiving multiple reports of supposed Microsoft Outlook "Incident IDs" asking the recipient to reconfigure their Outlook info. Emails appear similar to the one below:



Clicking the link will redirect the recipient to an Outlook Web App login page (notice the URL is in no way related to Duke):



Providing the info will submit credentials to the attacker then redirect to a legitimate OWA login page. We're asking that anyone who has received the phishing attack and supplied NetID credentials, to please notify the OIT Service Desk immediately at 919.684.2200



We're receiving multiple reports of a new phishing attack purporting to be a notification from WebMail about a new message. See a version of the message below:



The "VIEW MESSAGE" hyperlink redirects to a non-Duke hosted page that clones our WebMail login page (please be advised, this is not Duke's WebMail Sign-on page -- noticed the URL in the browser):



We ask that anyone who received the message, clicked the link, and provided login credentials please notify the OIT Service Desk immediately at 919.684.2200

We've received a report of the following email:



As the attachment contains an executable file (.exe) we highly suspect malware and are currently investigating. Please discard and delete the email if received.

We're seeing reports coming on a couple slightly different emails all purporting to be from the Duke Centre pertaining to events at Duke. The email requests the recipient login for more info. If you have received an email similar to the one below AND submitted info to the hosted form, please contact the OIT Service Desk immediately at 919.684.2200.



And the non-Duke hosted form appears as:


A couple of reports this evening about the following phishing attack:



The "CLICK HERE" target destination is the following non-Duke hosted form:



Please notify the OIT Service Desk immediately (919.684.2200) if you have submitted information to the form above.

We've received multiple reports this afternoon/evening from individuals who've received the following email:



It appears the target domain may have already been taken down. If; however, you've received this message and clicked through to the Yolasite form to provide information, please notify the OIT Service Desk immediately by calling 919.684.2200

Duke was targeted by two phishing attacks this week when users received fraudulent messages containing a file attachment that, if opened, installed a piece of "ransomware" called Cryptolocker.  Cryptolocker is malware designed to encrypt all of a user's files and then demand a payment to unlock the files.


The first email, sent earlier this week, had the subject line, "RE: Annual Form - Authorization to Use Privately Owned Vehicle on State Business." A similar message, titled "Message from Admin Scanner," was sent Friday morning.  The body of the 2nd message looks something like this:



If you received the message and opened the attachment, please contact your local IT support or Duke's IT security offices immediately: Duke University IT Security Office at security@duke.edu or Duke Medicine Information Security Office at infosec@mc.duke.edu.


The best ways to protect yourself against such attacks are to:

  • Be vigilant about opening attachments in emails and use extreme caution when opening .zip file attachments in email. Unless you were expecting to receive the file, and/or can verify with the sender that it's legitimate, do not open the .zip file.
  • Work with your local IT staff or Duke's IT security staff to ensure that you have Symantec anti-virus software installed.


A phishing attack circulating around the midnight hour purports to be an assistant of John (no last name ever provided) in need of information verification. See a screenshot below:



The hyperlink "click here" has a target destination that at first glance appears to be to a Google Docs link; however, the page is hosted on a different network (see below):



If you received this message (or one similar) and have clicked through to the link, please be advised that you should update the account info immediately. Similarly, if you share passwords between accounts (i.e. if your Gmail/Hotmail/AOL/Yahoo account(s) utilize the same password as your NetID), please make sure that all accounts are updated. If you need assistance with the Duke account, please contact the OIT Service Desk at 919.684.2200