Duke ITSO Alerts

The Duke IT Security Office has received reports of a well crafted and targeted Phishing campaign that has been sent to many in the Duke community. If you receive an email similar to the one below, please be aware that it is an attempt to steal your login credentials. If you have received this email, followed the URL, and provided your login credentials, we strongly recommend you contact your local support or the OIT Service Desk immediately so that they can walk you through resetting your password and ensuring no other changes have been made to your account. 

 

If you have any questions or concerns please contact security@duke.edu.

 

Below is a screenshot of the email. Note that the attacker mentions an article written (or co-written) by the recipient; this is to create a sense trust in the hope that the recipient will follow the link and provide their login information. Note also that the first link in the email is to shib.oit.duke.eduh.in, which is not a duke.edu domain, but is very similar to the correct domain of shib.oit.duke.edu.

 

Below is a screenshot of the malicious website. Note that the website does not use a secure (HTTPS) link. Also note that the MultiFactor Authentication portion never successfully displays the necessary additional information, instead simply displaying a spinning progress indicator.

 

Please be advised of this newly reported phishing attack circulating across campus.

 

Email:

 

"navigate here" destination (phishing form):

 

Anyone who has received the message, clicked the link, and supplied credentials should notify the OIT Service Desk immediately by calling 919.684.2200

The Duke University IT Security Office has received numerous notifications of a new Phishing email that is circulating throughout the Duke Community. If you received this email, clicked on the link and provided your NetID and Password then we ask that you contact the OIT Service Desk immediately. They can be reached at 919.684.2200. If you have any concerns please contact us at security@duke.edu.

 

Below is a screen shot of the Phishing email that is being circulated. **Note** the URL that you are redirected to if you click the link.

 

 

Below is a screen shot of the website that you are redirected to if you click on the link. **Note** this webpage is hosted on a domain that is not the duke.edu domain.

 

The Duke University IT Security Office has received numerous notifications of a new Phishing email that is circulating throughout the Duke Community. If you received this email, clicked on the link and provided your NetID and Password then we ask that you contact the OIT Service Desk immediately. They can be reached at 919.684.2200. If you have any concerns please contact us at security@duke.edu.

 

Below is a screenshot of the Phishing email. While this email was well put together note the grammar errors as well as the URL that you are redirected to if you click on the prompt.
 

 

Below is a screenshot of the site that you are redirected to if you click the prompt in the email. This site is being hosted on the dejeunerlivre.fr domain which is a French domain, legitimate Duke authentication pages would be hosted on the duke.edu domain.
 

The Duke University IT Security Office has recieved numerous notifications of a new Phishing email that is circulating throughout the Duke Community. If you received this email, clicked on the link and provided your NetID and Password then we ask that you contact the OIT Service Desk immediatley. They can be reached at 919.684.2200. If you have any concerns please contact us at security@duke.edu.

 

Below is a screen shot of the email. **Note the url is a shortened url to mask the destination of the Phishing page**

 

 

Below is a screen shot of the Phishing site. **Note the url in the address bar. The site is hosted on the buypalladium.net domain a legitimate Duke login page would on the duke.edu domain**

 

The Duke University IT Security Office has recieved notifications of a Phishing email that is circulating throughout the Duke Community. If you received this email, clicked on the link and provided your NetID and Password then we ask that you contact the OIT Service Desk immediatley. They can be reached at 919.684.2200. If you have any concerns please contact us at security@duke.edu.

 

Below is a copy of the email.

 

Below is a screen shot of the page that the above link redirects to. **Note** the URL in the address bar, the site is hosted on the .co.uk domain, a legitimate Duke login page would be hosted on the duke.edu domain.

 

The Duke University IT Security Office has recieved notifications of a Phishing email that is circulating throughout the Duke Community. If you received this email, clicked on the url and provided your NetID and Password then we ask that you contact the OIT Service Desk immediatley. They can be reached at 919.684.2200. If you have any concerns please contact us at security@duke.edu.
 

Below is a copy of the email. **Note** the URL if you hover over the "RESOLVE" link.

Below is a screen shot of the page that the above URL redirects to. **Note** the URL in the address bar is hosted on the .biz domain, a legitimate Duke login page would be hosted on the duke.edu domain.
 

Our latest observed phishing attack purports that the recipients "mailbox is almost full" prompting for a login to update web mail (see screen capture below):

 

 

Visiting the "Update Web Mail" link seen above will take you to a non-Duke hosted clone of our login page (as seen below):

 

 

Notice the URL does not start "https://shib.oit.duke.edu/".

 

***Update***

Shortly after the initial message, we received reports of a 2nd attack with slightly modified target URL (see below):

 

******

 

We ask that anyone who has received this message, clicked the link, and supplied NetID credentials to please notify the OIT Service Desk immediately by calling 919.684.2200

The Duke University IT Security Office has received multiple notifications of a new Phishing email that is circulating throughout the Duke community. If you received this email, clicked on the link and provided your NetID and Password then we ask that you contact the OIT Service Desk immediatley. They can be reached @ 919.684.2200.

Below is a copy of the email.

 

Below is screen shot of the site that the link in the email redirects to. **Note** This site is hosted on the "mehmetakifarastirmalari.com" domain and not on the "duke.edu" domain.

Reports this morning of a phishing attack purportedly from the CS department regarding the verification of "Email NetID Services". Please be advised, this is a fraudulent message and should be discarded and avoided. If you've received a message similar to the one below and clicked through the links and supplied credentials, please notify support:

 

 

Though the message claims to be from Duke and links to "WebMail" the destination of the URL is actually a non-Duke site (see below):

 

 

As mentioned above, if you received this message, clicked the link, and supplied credentials, please immediately notify the OIT Service Desk at 919.684.2200

Pages