Duke ITSO Alerts

A new run of phishing attacks have been reported this morning. The newest attacks are arriving with a subject of "DUKE Information Update" and look very similar. In fact, both emails have the same content the only difference is the "from" address and the destination of the link contained in the message. A screenshot of one of the attacks can be seen below:

 

 

The attack above does appear to be targeting Duke directly as the landing page is a clone of our mail.duke.edu page. You can also see in the picture that mousing over the link shows a URL with Duke in the wording. Please make special note that the page is hosted on a non-Duke domain (.eu). Clicking this link will take you to the following page:

 

 

Please notify the OIT Service Desk immediately if you received the email above, clicked the link, and supplied your NetID credentials. Contact should be made via phone at 919.684.2200

The Duke IT Security Offices have been notified of a new phishing campaign that appears to have reached a lot of our community. We have contacted the website hosting providers and requested they take down the phishing sites.

IF you received any of the below emails and clicked the link and entered your username and password then your should contact either the Service Desk or you local support as soon as possible. They can assist you in updating your local login credentials as well as verifying any other potential changes to your account settings.

 

If you have any questions or concerns then please feel free to contact us via email, security@duke.edu.

 

Below is a screenshot of the email. Note that if you hover over the link in the email you will see the URL of the actual phishing site. Hidden in the email content is a second phishing site.

 

Below are screenshots of the two phishing sites. Note that both sites are hosting on the *my-free.website domain.

 

Duke University has been a target of a new phishing attack this morning. Similar, past emails have been precursors to attempted payroll fraud. Please be advised, email messages similar to the one below should be discarded:

 

 

Clicking the URL redirects you to a non-Duke hosted form.

 

The hosting provider, Angelfire, was immediately notified and promptly removed the page. However, if you received the message above earlier this morning and followed the link to provide any of your credentials, please immediately notify the OIT Service Desk at 919.668.2200

The Duke IT Security Offices have received multiple notifications of a new Phishing campaign that is being circulated throughout the Duke community. Due these notifications we have contacted the websites hosting provider and recommended they take down the phishing page. If you received this email, clicked the link, and provided your login credential, then we recommend you contact you local IT support or the OIT Service Desk in order to get assistance with resetting you login credentials.

 

Below is a screenshot of the email that is being sent to Duke users. Note the website that the link redirects to.

 

Below is a screenshot of the site that you are directed to if you click the link in the email. Note that any Duke login websites should be hosted on the duke.edu domain and not weebly.com.

 

If you have any questions or concerns then please contact us via email, security@duke.edu.

The Duke IT Security Offices have received numerous alerts of a very widespread Phishing campaign that is circulating throughout the Duke community. This message is an attempt to steal you login username and password. If you received the below email, clicked the link and entered your username and password then we ask that you contact either your local support or the OIT Service Desk immediately. The OIT Service Desk can be reached at 919.684.2200.

If you have any other questions or concerns please email us at security@duke.edu.

 

Below is a screen shot of the email. Note that the link redirects to a site that isn't hosted on the duke.edu domain.

 

Below is a screen shot of the site that you are redirected to if you click the link in the email. Again note that this site is hosted on the montessorilittlebirds.ch domain instead of the duke.edu domain. Also note that this site DOES NOT resemble the Duke login page at all.

The Duke IT Security Office has received multiple alerts of a Phishing message that is circulating through the Duke community. If you received this email, clicked the link and entered your login credentials, then we recommend you contact your local support or the OIT Service Desk @ 919.684.2200.

If you have any questions please feel free to contact us via email at security@duke.edu.

 

Below is a screen shot of the email. Note that the attacker attempted to make this email appear legitimate by claiming to be a Duke University Library staff member.

 

Here is a screen shot of the website. Again note that this site is a clone of the Duke University Library website but it hosted on a different domain. This site is hosted on the library.duke.euve.tk domain instead of the actual website which is hosted on the duke.edu.

 

The Duke IT Security Office has received multiple notifications of a new Phishing campaign that is being circulated throughout the Duke community. If you have received this message, clicked on the link in the email and provided your credentials then we as that you contact your local IT support or the OIT Service Desk @ 919.684.2200, so that they may assist you in resetting your credentials as well as ensuring there have been no other changes made to your account.

If you have any further questions please contact us via email at security@duke.edu.

 

Below is a screen shot of the email. Note that the link in the email redirects to a site that is not on the duke.edu domain.

 

 

Below is a screenshot of the Phishing site. Again note the domain is cham1.biz and not duke.edu. The attackers have also removed the correct website warning that is normally below the Forgot Password link and says "You are on the correct Duke sign-in page if the URL above begins with https://shib.oit.duke.edu/."

The Duke IT Security Office has received reports of a Phishing campaign that has been sent to many in the Duke community over the last two weeks. If you receive an email similar to the one(s) below, please be aware that it is an attempt to steal your login credentials. If you have received this email, followed the URL, and provided your login credentials, we strongly recommend you contact your local support or the OIT Service Desk immediately so that they can walk you through resetting your password and ensuring no other changes have been made to your account. 

 

Below are screenshots of both of the emails that we have seen circulating throughout the community. Note that if you hover over the link in the emails neither site is hosted on the duke.edu domain but they do contain "duke" in the URL in an attempt to be more convincing to our users.

 

 

Below are screen shots of both of the sites that the links in the emails redirect to. Again note that neither of these sites are hosted on the duke.edu domain and are an attempt to steal your Duke login credentials.

 

 

Should you have any questions or concerns please contact security@duke.edu.

The Duke IT Security Office has received reports of a well crafted and targeted Phishing campaign that has been sent to many in the Duke community. If you receive an email similar to the one below, please be aware that it is an attempt to steal your login credentials. If you have received this email, followed the URL, and provided your login credentials, we strongly recommend you contact your local support or the OIT Service Desk immediately so that they can walk you through resetting your password and ensuring no other changes have been made to your account. 

 

If you have any questions or concerns please contact security@duke.edu.

 

Below is a screenshot of the email. Note that the attacker mentions an article written (or co-written) by the recipient; this is to create a sense trust in the hope that the recipient will follow the link and provide their login information. Note also that the first link in the email is to shib.oit.duke.eduh.in, which is not a duke.edu domain, but is very similar to the correct domain of shib.oit.duke.edu.

 

Below is a screenshot of the malicious website. Note that the website does not use a secure (HTTPS) link. Also note that the MultiFactor Authentication portion never successfully displays the necessary additional information, instead simply displaying a spinning progress indicator.

 

Please be advised of this newly reported phishing attack circulating across campus.

 

Email:

 

"navigate here" destination (phishing form):

 

Anyone who has received the message, clicked the link, and supplied credentials should notify the OIT Service Desk immediately by calling 919.684.2200

Pages