Duke ITSO Alerts
The following phishing attack was reported today:
The URL shown above, directs to the following form:
Anyone who has provided Duke credentials to the form above is strongly encouraged to contact the OIT Service Desk at 919.684.2200 immediately.
The following phishing attack was reported to the ITSO last night:
Notice the non-Duke / non-BlackBoard destination URL in the screenshot. For any who click through the link, you're presented with the following cloned page used to harvest credentials:
Anyone who has provided Duke credentials is strongly encouraged to contact the OIT Service Desk at 919.684.2200 immediately.
Please be advised of the latest phishing attack targeting the Duke community:
The Jimdo form appears as:
Please notify the OIT Service Desk (919.684.2200) if you have provided information to the form.
We received multiple reports from recipients of the following phishing attack late yesterday evening:
The Duke Medicine Information Security Office (ISO) reported the form to Jimdo's abuse department. If you are able to click through to the link before the site is taken down, you will see the following form:
Please notify the OIT Service Desk immediately at 919.684.2200 if you've provided your information to the form.
We have received at least one report so far this afternoon of the following phishing attack purporting to be from Wells Fargo:
The destination address of the "Sign On to Wells Fargo Online" was reporting a 403: Forbidden error when I tried to access. This could mean that the site has already been notified and revoked access to the directory while remediation occurs or it could simply mean the compromise still exists but is dormant in hopes that security professionals overlook the threat assuming the page is down. I advise caution to anyone who receives the message. Since I cannot investigate the final destination, I can not clarify if the site is hosting a form to phish credentials, whether it hosts malware, or a combination of both.
If you have additional questions or if you've successfully accessed the site, please contact the OIT Service Desk at 919.684.2200
We've received a few reports from individuals who received the following email:
some are receiving messages that appear to be from our own helpdesk as seen above. Please be advised, this is not a legitmate email and the from address has been spoofed to look like it was really sent from Duke. Others received messages similar to the one below that is obviously not related to Duke.
The destination URL of the "Here" link in both messages pointed to a Jimdo hosted form. I immediately contacted their support and they've taken the page down. Unfotunately I was unable to obtain a screenshot of the hosted form before the page was blocked. I did receive a report that while up, the form requested email, username/id, password, and a second line to "confirm" the password.
If you know that you visited the form and provided information related to your Duke account, please notify the OIT Service Desk at 919.684.2200 immediately.
The ITSO has received a few notifications of emails in circulation that purport to be a package tracking notification from UPS. Reports came in on Friday and more have been seen today. Unfortunately the emails are not legitimate and contain links to malicious file downloads. See two of the emails below:
The first hyperlink does go to a legitimate tracking page and may be enough to coax some into clicking the second link for the supposed invoice. As the screenshots show, the destination address of the second link isn't in the UPS domain. Upon downloading and executing the ZIP file, one could potentially install ransomware/malware onto their PC. Symantec identifies the malware as Trojan.Ransomlock.G
If you've been infected by this malware, please contact local IT support or the appropriate Service Desk for assistance.
The following phishing attack was reported today:
Clicking the "HELPDESK" link will redirect to the following form hosted at a non-Duke site:
The form has been reported to the abuse department and will hopefully be removed soon. Anyone who supplies Duke information to the form should notify the OIT Service Desk at 919.684.2200 immediately.
Below is the most recent phishing attack circulating across the Duke community:
We also saw reports of the same message, different font and the ! marks removed from the subject that routed to a destination on the same domain, modified URL (see below).
Anyone who clicks through the "Click Here to Read" link (which as seen above routes to a non-Duke site) will be presented with the following form designed to mimick the Exchange OWA interface:
If anyone accessed the link and supplied NetID credentials, please immediately contact the OIT Service Desk at 919.684.2200
The following email is the latest phishing attack, a rehashed email pointing to the same Jimdo hosted form seen in yesterdays notice:
We subitted this page to the Jimdo abuse department yesterday. It appears the page was taken down already though I still advise anyone who was able to access the form to contact the OIT Service Desk immediately at 919.684.2200 (if you supplied NetID credentials).