Duke ITSO Alerts

The following phishing attack has been reported this afternoon:

Clicking on the link in the message takes you to the following non-Duke-hosted login form:

Submitting the form yields the following page:

We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The following phishing attack has been reported this afternoon:

 

 

This message is likely meant to target individuals who are being migrated to Office365 accounts. Please be advised, this is an attack - it is not from Duke. Anyone clicking the "UPGRADENOW" link will be redirected to the following non-Duke OWA mock-up:

 

 

Please notify the OIT Service Desk immediately (919.684.2200) if you have supplied credentials to the form.

The ITSO has begun receiving reports of a new phish that is very likely tied to the attackers attempting to steal credentials to ultimately try modifying direct deposit information. The subject is “Your Salary Raise Details”.   The URL of the message directs to a Russian domain that has cloned our Shibboleth/SSO page (but removed the “You are on the correct Duke sign-in page if the URL above begins withhttps://shib.oit.duke.edu/.” warning). Supplying credentials to that page redirects to a clone of the older Office Web Access page — seen by users who have not migrated to Office365. After supplying credentials to that page, one is finally redirected to duke.edu.
 

Email text:
Hello,

You are qualified for a salary raise on your next paycheck in March, follow the steps below to immediately confirm your details.

Allow few hours for your congratulatory letter to be delivered to your email "DU email"

Click here:

http://support.duke.edu/employee-compensation<http: / /34shkafa.ru/www.duke.edu/employee-compensation.htm>
 

06

 

 

The ITSO has been notified of the following two phishing attacks.  The first one attempts to mimic the Outlook Web login.  Please note the non-Duke URL in the location bar.<BR><P>Subject: New Messge
Date: March 11, 2014 2:26:28 PM EDT
To: Undisclosed recipients:;

E-Mail NOTIFICATION

You Have 1 New Message

Click Here To Read http:/ /past.bghelsinki.org/wp-content/themes/duke.edu.htm

Sincerely,

©2014 Duke University</P>55  

The second phishing attempt is more generic:

 Clicking on the link in the message actually takes you to the following non-Duke-hosted login page:We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The ITSO has been notified of the following phishing attack:

Clicking on the first link in the message actually takes you to the following non-Duke-hosted error page:

Clicking on the second link or the "main page" link on the error page takes you to the following non-Duke-hosted login page:

We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The ITSO has been notified of the following phishing attack:

Clicking on the "CLICK HERE" link takes you to the following non-Duke hosted entry page:

Clicking on any of the service icons brings up a dialog asking for your e-mail address and password. We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

The ITSO has been notified of the following phishing attack:

 

 

Clicking on the "Re-Activate My Account" link takes you to the following non-Duke hosted form:

 

 

 

We ask that anyone who received a similar message, clicked the link, and provided credentials to please notify the OIT Service Desk immediately at 919.684.2200.

We've received one report of the following attack seen early this morning:

 

 

The target destination didn't appear to load and has likely been taken down by the hosting party. Nevertheless, if you see a similar message, be advised it is fraudulant and should be report to your local Service Desk.

A second phishing attack has been reported this morning:

 

 

The link above points to the following hosted form:

 

 

The page has been reported for abuse. In the meantime, anyone who's received the message, clicked the link, and supplied info to the form should contact the OIT Service Desk at 919.684.2200

The following phishing attack was reported this morning:

 

 

Luckily for Duke, the attackers neglected to enter the target URL correctly, leaving out a "-" which prevents the page from loading. The intended target form appears as:

 

 

We're notifying the hosting party, asking that the form be taken down ASAP. For questions, please contact the OIT Service Desk at 919.684.2200

Pages