Duke ITSO Alerts
We're seeing reports coming on a couple slightly different emails all purporting to be from the Duke Centre pertaining to events at Duke. The email requests the recipient login for more info. If you have received an email similar to the one below AND submitted info to the hosted form, please contact the OIT Service Desk immediately at 919.684.2200.
And the non-Duke hosted form appears as:
A couple of reports this evening about the following phishing attack:
The "CLICK HERE" target destination is the following non-Duke hosted form:
Please notify the OIT Service Desk immediately (919.684.2200) if you have submitted information to the form above.
We've received multiple reports this afternoon/evening from individuals who've received the following email:
It appears the target domain may have already been taken down. If; however, you've received this message and clicked through to the Yolasite form to provide information, please notify the OIT Service Desk immediately by calling 919.684.2200
Duke was targeted by two phishing attacks this week when users received fraudulent messages containing a file attachment that, if opened, installed a piece of "ransomware" called Cryptolocker. Cryptolocker is malware designed to encrypt all of a user's files and then demand a payment to unlock the files.
The first email, sent earlier this week, had the subject line, "RE: Annual Form - Authorization to Use Privately Owned Vehicle on State Business." A similar message, titled "Message from Admin Scanner," was sent Friday morning. The body of the 2nd message looks something like this:
If you received the message and opened the attachment, please contact your local IT support or Duke's IT security offices immediately: Duke University IT Security Office at email@example.com or Duke Medicine Information Security Office at firstname.lastname@example.org.
The best ways to protect yourself against such attacks are to:
- Be vigilant about opening attachments in emails and use extreme caution when opening .zip file attachments in email. Unless you were expecting to receive the file, and/or can verify with the sender that it's legitimate, do not open the .zip file.
- Work with your local IT staff or Duke's IT security staff to ensure that you have Symantec anti-virus software installed.
A phishing attack circulating around the midnight hour purports to be an assistant of John (no last name ever provided) in need of information verification. See a screenshot below:
The hyperlink "click here" has a target destination that at first glance appears to be to a Google Docs link; however, the page is hosted on a different network (see below):
If you received this message (or one similar) and have clicked through to the link, please be advised that you should update the account info immediately. Similarly, if you share passwords between accounts (i.e. if your Gmail/Hotmail/AOL/Yahoo account(s) utilize the same password as your NetID), please make sure that all accounts are updated. If you need assistance with the Duke account, please contact the OIT Service Desk at 919.684.2200
We're getting a number of inquiries about a message circulating with the subject: "Annual Form - Authorization to Use Privately Owned Vehicle on State Business". The message contains a malicious attachment and we advise the community to discard any emails related to this subject. If you opened the message, please contact the IT Security Office ASAP.
The body of the text should resemble something along the lines of:
the attachment name has varied in different reports but appears to be similar to "form_duke.edu.zip".
If you have accessed the file, please inform local IT support and/or scan your system for malware. If you need assistance, please contact the OIT Service Desk at 919.684.2200
We've received reports of the following phishing attack targeting Duke addresses:
Notice the highlighted destination URL of the "Click MY ACCOUNT" hyperlink points to a Jimdo hosted form. Accessing the URL will produce the following form:
This is a fraudulent email/form used to harvest personal credentials. If you have provided your information, please report the incident to the OIT Service Desk at 919.684.2200
As we've done in past years, the IT Security Office is hosting contests to help promote IT security awareness throughout the month of October.
This year we will host two separate drawings with the winner from each receiving an iPad Mini.
Be sure you visit our Phishing page to read up on how to identify and report phishing attacks, then take the Phishing Tournament quiz. You need not answer all questions correctly, simply complete the quiz for an entry into the drawing.
Also, we're promoting the use of multi-factor authentication here at Duke. Read up on this new service offering by OIT. Everyone who is signed up by the end of October, will be entered into a drawing.
Spread the word to help raise awareness and good luck!
A new report of a phishing attack targeting email users purporting quota issues:
The highlighted URL (target destination of the "Please Click here" link, redirects to the following non-Duke form:
Please notify the OIT Service Desk if you have provided personal information to this form. (919.684.2200)
We're seeing an influx of reports of a phishing attack currently occurring across Duke. If you see the following email, please disgard immediately:
Notice the target destination contains dukewebmailupgrade but resides on the Webs.com domain. Clicking the link takes you to the following non-Duke hosted form:
Please contact the OIT Service Desk at 919.684.2200 if you've provided personal information to the form.