Phishing Attacks: "Termination Of Your Duke Account" (July 17, 2013)

Already this morning, we've seen 3 slightly different phishing attacks. All have the same subject: "Termination Of Your Duke Account" and all have the same message. The minor differences of each are the from address and the URL the recipient is asked to review. This is the same type of attack we've seen already this week and even last in which the report claims to have detected a "login attempt with a valid password to your account from an unrecognized device". Each report has an Incident ID, timestamp, and location (which is out of the country) intentionly designed to scare recipients into believing illigitimate activities have occurred from their account. As per the norm, the ultimate goal is to trick the recipient into clicking the link redirecting to a non-Duke hosted form used to harvest credentials.


As stated above, the email message remains mostly unchanged from one mailing to the next (the minor difference being the URL -- see the URLs used below):


The redirect URLs seen so far today are as follows:


Below are the forms host at each of the URLs above. 

"accttermination.jimdo" form:



"dukerestore.webs" form:


"dukesaccount.webs" form:


If you receive reports of other similar phishing attacks, please notify the ITSO. If you or someone you know has clicked through to the forms and supplied login credentials, please notify the OIT Service Desk.


IT Security Office


OIT Service Desk