ISG has received reports of emails from "Brown IT Alert" warning recipients that their brown.edu account was "accessed from a blacklisted IP located in Arizona", listing the details, then requesting they click on a link to "allow the new IP monitoring alert system (to) automatically block the suspicious IP from further future compromise." This is not a legitimate request but a phishing attempt and should be treated as such. Do NOT click on the link. If you have not already deleted it, mark the email as phishing and then delete it.
Note: The address firstname.lastname@example.org has been blocked from being able to send to Brown Gmail addresses.
An example follows:
---------- Forwarded message ----------
From: Brown IT Alert
Date: Wed, Nov 20, 2013 at 11:16 AM
Subject: URGENT: BROWN incident where your NET ID was compromised
Our new IP monitoring alert system that checkmates the increased incidents of phishing attacks and database compromise detected that your "brown.edu" account was accessed from a blacklisted IP located in Arizona. The suspicious login details are shown hereunder:
Access Location: Phoenix, Arizona
IP Address: 188.8.131.52
ISP: Nobis Technology Group, LLC
Host Name: 184.108.40.206.rdns.ubiquity.io
Time of compromise : 10:27 AM, Eastern Standard Time (EST) -0500 UTC
Date of compromise: Wednesday, November 20, 2013
Did you access your account from this location? If this wasn't you, your computer might have been infected by a malicious malware code unnoticed. To protect your account from any further compromise, kindly follow these two steps immediately:
1. Follow this ITS secure link below to reconfirm your login details and allow the new IP monitoring alert system automatically block the suspicious IP (220.127.116.11) from further future compromise
2. Scan your PC immediately to remove all malware codes and any other malignant viruses With these two steps taken, your account will be secured.
Serving you better,
ITS and Database Security