From Senior_IT_Leadership@notes.duke.edu Fri Jan 25 15:55:34 2008
Date: Jan. 25, 2008
From: Senior IT Leadership
To: Irvin Eisen
Subject: SECURITY ALERT to All Email Users: Ignore Emails Requesting Passwords
Duke Medicine email accounts have been targeted by an outside attack that
seeks to obtain Duke user IDs and passwords. These IDs and passwords have
then been used to send mass email (spam).
REQUIRED ACTIONS
1. Never respond to emails that request or demand personal information
like your password, SSN, or credit card number. Legitimate Duke Medicine
personnel will never ask for your password by any means - not by email,
telephone, or in person.
2. Change your password immediately and then contact the DHTS Help Desk
(684-2243) if you have already responded to a request for your password.
If you need assistance to change your password, contact your departmental
technical support, or call the DHTS Help Desk.
3. Some accounts compromised through this attack received a flood of
"message not deliverable" messages for emails that the legitimate user did
not actually send. This is described below. If you receive dozens of
unexpected "not deliverable" messages, immediately change your password,
then contact your departmental technical support, or the DHTS Help Desk,
to determine whether an attacker has logged in to your account.
4. Contact the DHTS Help Desk (684-2243) if you have any questions.
DESCRIPTION
The type of attack we are experiencing is termed "Phishing". Phishing
attacks involve the mass distribution of e-mail messages with forged
return addresses, links, and branding which appear to come from legitimate
sources e.g. banks, insurance agencies, retailers or credit card
companies. These fraudulent messages are designed to fool the recipients
into divulging confidential or personal authentication data such as
account usernames and passwords, credit card numbers, social security
numbers, etc. Because these emails look "official", up to 20% of
recipients may respond to them, resulting in financial losses, identity
theft, and other fraudulent activity.
In this incident, the emails appear to be from "support@duke.edu", "Duke
Team", and other made-up titles that include "Duke". They began arriving
on January 18, and have continued through the following week. Subject
lines have included "Verify your Duke email account now", and others. They
threaten to terminate "your account" unless you reply with your ID and
password in the response. Similar patterns of attack have been reported at
other research institutions and private corporations.
Users who did reply to the early messages report that the attacker then
used their Duke email IDs to send hundreds of other emails to users
outside of Duke, attempting to involve them in fraudulent financial
transactions. Many of the fraud invitation messages were sent to IDs that
are no longer active, so they are automatically returned to the apparent
sender - the Duke ID. The Duke user then sees many "user not found"
messages in their inbox, when they know they did not send the message that
is being returned.
REMEMBER
1. Duke Medicine technical personnel will never ask you for your password,
for any system.
2. Never send your password in any email, or divulge it over the
telephone.
3. You may be given an initial password for a new account through email,
but you should immediately log into the new account and change its
password to one that is known only to you.
Thank you for you cooperation.
<<< NOTE >>> The information in this electronic mail is sensitive,
protected information intended only for the addressee(s). Any other person,
including anyone who believes he/she might have received it due to an
addressing error, is requested to notify the sender immediately by return
electronic mail, and to delete it without further reading or retention.
