An unknown perpetrator launched a phishing scam to gain access to Duke NetID accounts by impersonating the University president.
Sent to approximately 125 members of the Duke community, the phishing attack came as a phony email from an external email account Saturday and Sunday, said Chief Information Security Officer Richard Biever. Phishing is a form of online fraud designed to convince recipients to reveal personal information, such as bank account information and Social Security numbers.
The phishing message requested recipients submit their Duke NetID credentials in a Google Document in order to obtain the latest University news and updates. The emails not only contained Duke letterhead but appeared to be sent by President Richard Brodhead.
“I trust people as smart as Duke students saw through the ruse,” the real Brodhead wrote in an email Wednesday.
Biever said the message was reported on Sunday and by Monday the fraudulent link was taken down by Google. Catching the perpetrator, however, is more difficult.
“Trying to track down each attacker is a bit like playing whack-a-mole,” Biever wrote in an email Wednesday. “In cases where the sending address is a random email address created by the attacker—like a Google account—we would have very little success in tracking back to an individual.”
The situation is often further complicated by the attacker’s use of other people’s legitimate accounts to send spam or phishing messages. In such cases, since the attacker has control of the account, the actual sender of the message is unaware that he or she is participating in fraud.
The Office of Information Technology is not sure how many Duke users submitted their personal information, Biever noted, adding that no one has yet reported a compromised NetID or email since the message was sent.
Phishing attacks can occur frequently, Biever added. Although the University mail system inhibits the majority of fraudulent messages sent to Duke accounts, some manage to get through because the attacker is able to customize the message in a way that bypasses the filtering mechanisms, Biever said.
“In August we received 116,146,522 email messages, but only 15.3 percent were legitimate messages,” Biever said. “The remaining 84.6 percent were comprised of viruses, malware, phishing and spam messages.”
To avoid the issue of phishing, people should be wary of emails from unknown senders. Biever added that if a link is provided in an email message, recipients should verify where it goes before entering in personal information.
“Duke and other legitimate organizations will never, ever ask for your password over email,” he said.