Phishing Attacks Targeting Duke (July 2013)

Over the past two weeks Duke's Office of Information Technology (OIT), the University IT Security Office (ITSO), and the Duke Medicine Information Security Office (ISO) have detected several phishing attacks targeting the Duke community. 


These attacks claim to be automated notifications of attempted logins by an unrecognized device from outside the country. Duke users are asked to review their account by clicking a link, which redirects to a form hosted by a non-Duke site.


The most recent phishing attack masquerades as a notification from Amazon, also reporting account access from an unauthorized computer. While the link in this page appears to redirect to Amazon, the user actually is sent to a bogus website. 


All of the forms are designed to collect Duke NetID credentials. Once credentials are obtained, attackers can access Duke email accounts and use them to send thousands of messages to other individuals or institutions. Samples of the email messages as well as the non-Duke hosted forms are provided below.


The IT Security Office offers the following reminders about handling suspicious messages:


  1. Remember that Duke will NEVER ask for your password or information about your account via email.
  2. Do NOT click any links in suspicious messages.  Links in messages such as these phishing attempts are used to coerce recipients into providing account credentials but there is also the possiblity that you are redirected to a site used to install malware on your computer.
  3. If you get an email message that looks to be a scam, please visit the Sophos site for instructions on how to upload the message. Uploading the message helps Duke’s anti-spam appliances gather better information on what to mark as spam or scam. (


If you have supplied any information on a website after clicking on links in a suspicious email message please contact the OIT Service Desk immediately.


OIT Service Desk:

(919) 684-2200



Samples - Out of the Country Login Emails




Sample - Fradulent Amazon Email



Samples - Fraudulent Webforms Requesting Credentials








If you receive similar emails, phishing for account credentials, please notify your Security Office. Remember to forward such emails with full email headers. For assistance obtaining full email headers from various clients, please review the following ServiceNow Knowledgebase article:  (


University IT Security Office (ITSO):


Duke Medicine Information Security Office (ISO):