Phishing Attack "System Administrator" (July 11, 2013)

A phishing attack was reported earlier this afternoon. As with the last attack, I'd like to try and point out areas that should raise suspicions about the legitimacy of the email.

The message:

 

So what's suspicious?

1) While it can be forged, why would the "administrator" have an email unrelated to Duke that ends in .bn (the internet country code for Brunei Darussalam)?
2) Why does the message appear to be addressed to an address at admin.edu? 
3) If your password were really to expire, shouldn't there be specific mention of your name and the account which is about to expire?
4) Why would you validate a Duke account at a non-Duke site? (Remember to mouse over the URL to make sure what you think you're clicking is actually the destination address)

 

As with most phishing messages, this one is very vague and non-specific so that it can be distributed to a vast number of recipients. 

 

The hosted form used to harvest credentials:

 

 

If you or someone you know supplied information to the form, please notify the OIT Service Desk immediately.

 

OIT Service Desk
919.684.2200

 

IT Security Office
security@duke.edu