Duke ITSO Alerts

The Duke University IT Security Office has received numerous notifications of a new Phishing email that is circulating throughout the Duke Community. If you received this email, clicked on the link and provided your NetID and Password then we ask that you contact the OIT Service Desk immediately. They can be reached at 919.684.2200. If you have any concerns please contact us at security@duke.edu.

 

Below is a screenshot of the Phishing email. While this email was well put together note the grammar errors as well as the URL that you are redirected to if you click on the prompt.
 

 

Below is a screenshot of the site that you are redirected to if you click the prompt in the email. This site is being hosted on the dejeunerlivre.fr domain which is a French domain, legitimate Duke authentication pages would be hosted on the duke.edu domain.
 

The Duke University IT Security Office has recieved numerous notifications of a new Phishing email that is circulating throughout the Duke Community. If you received this email, clicked on the link and provided your NetID and Password then we ask that you contact the OIT Service Desk immediatley. They can be reached at 919.684.2200. If you have any concerns please contact us at security@duke.edu.

 

Below is a screen shot of the email. **Note the url is a shortened url to mask the destination of the Phishing page**

 

 

Below is a screen shot of the Phishing site. **Note the url in the address bar. The site is hosted on the buypalladium.net domain a legitimate Duke login page would on the duke.edu domain**

 

The Duke University IT Security Office has recieved notifications of a Phishing email that is circulating throughout the Duke Community. If you received this email, clicked on the link and provided your NetID and Password then we ask that you contact the OIT Service Desk immediatley. They can be reached at 919.684.2200. If you have any concerns please contact us at security@duke.edu.

 

Below is a copy of the email.

 

Below is a screen shot of the page that the above link redirects to. **Note** the URL in the address bar, the site is hosted on the .co.uk domain, a legitimate Duke login page would be hosted on the duke.edu domain.

 

The Duke University IT Security Office has recieved notifications of a Phishing email that is circulating throughout the Duke Community. If you received this email, clicked on the url and provided your NetID and Password then we ask that you contact the OIT Service Desk immediatley. They can be reached at 919.684.2200. If you have any concerns please contact us at security@duke.edu.
 

Below is a copy of the email. **Note** the URL if you hover over the "RESOLVE" link.

Below is a screen shot of the page that the above URL redirects to. **Note** the URL in the address bar is hosted on the .biz domain, a legitimate Duke login page would be hosted on the duke.edu domain.
 

Our latest observed phishing attack purports that the recipients "mailbox is almost full" prompting for a login to update web mail (see screen capture below):

 

 

Visiting the "Update Web Mail" link seen above will take you to a non-Duke hosted clone of our login page (as seen below):

 

 

Notice the URL does not start "https://shib.oit.duke.edu/".

 

***Update***

Shortly after the initial message, we received reports of a 2nd attack with slightly modified target URL (see below):

 

******

 

We ask that anyone who has received this message, clicked the link, and supplied NetID credentials to please notify the OIT Service Desk immediately by calling 919.684.2200

The Duke University IT Security Office has received multiple notifications of a new Phishing email that is circulating throughout the Duke community. If you received this email, clicked on the link and provided your NetID and Password then we ask that you contact the OIT Service Desk immediatley. They can be reached @ 919.684.2200.

Below is a copy of the email.

 

Below is screen shot of the site that the link in the email redirects to. **Note** This site is hosted on the "mehmetakifarastirmalari.com" domain and not on the "duke.edu" domain.

Reports this morning of a phishing attack purportedly from the CS department regarding the verification of "Email NetID Services". Please be advised, this is a fraudulent message and should be discarded and avoided. If you've received a message similar to the one below and clicked through the links and supplied credentials, please notify support:

 

 

Though the message claims to be from Duke and links to "WebMail" the destination of the URL is actually a non-Duke site (see below):

 

 

As mentioned above, if you received this message, clicked the link, and supplied credentials, please immediately notify the OIT Service Desk at 919.684.2200

The ITSO has received a report of the following phishing attack:

 

 

As seen above, hovering over the "Click Here To Read" hyperlink points you to the following non-Duke hosted form used to harvest NetID credentials:

 

 

Please notify the OIT Service Desk at 919.684.2200 immediately if you received the message, clicked the link, and entered your NetID & password.

Reports of a new  phishing attack are cycling into the ITSO. The attack is specifically asking for banking account information which mimics attacker activity associated with past direct deposit fraud. If you receive the following message (or one of similar nature), be advised this is not a legitimate communication and should be discarded.

 

 

Clicking the link in that message results in the following cloned shibboleth / single sign-on page:

 

Please notify the OIT Service Desk at 919.684.2200 immediately if you receive this attack, click the link, and supply personal information.

Reports of a new BlackBoard targeted phishing attack have begun filtering into the ITSO. In this attack, the sending party routes an email with an attachment (CourseAdviser.htm).

 

Opening this attachment launches a web browser that shows the html document and presents us with the typical phishing message (see below):

 

The URL in this message redirects to the hosted form used to harvest credentials (see below):

 

This attack is targeting higher ed institutions using BlackBoard. While not Duke specific, we ask that anyone who has received this message, clicked the attachment and the link in the html file, and lastly entered NetID credentials in the phishing page, to please notify the OIT Service Desk immediately by calling 919.684.2200.

Pages