Phish Bowl

This phish was received over the weekend but there are others received over the weekend as well as received this morning from related threat actor with different senders with these subject lines ‘Re: Covid Funds Relief’ or ‘Re: College $1000 benefit check available’ or ‘Re: NOV COLLEGE GRANT/FUNDS APPROVED FOR PAYMENT 2022’ or ‘Re: COLLEGE GRANT/FUNDS APPROVED FOR PAYMENT 2022’. All these are scam phishes asking for your cell number to evade the communication from UVic network.

The sender’s name is too generic ‘COLLEGE BOARD’ or ‘STUDENT JOB BOARD’, generic salutation and no signature, too good to be true offer. All these are signs of a phishing email.

Please do not give your personal information and do not correspond with the phisher on any mode of communication. These scams usually lead to stealing confidential information and/or duping you into giving money. Always pay attention to the phishing signs and think before taking any mentioned action.

 

This  phish is circulating today. The text doesn’t  make any sense.  Unlike the malicious actors the UVic Systems can determine if your account is in use without asking you to confirm. The sender is some gmail account.

The goal as usual is to steal your UVic credentials.

As always – please do not click out of curiosity, just to see the fake login page.
Sometimes these pages may contain malware to infect your computer instantly.
Our experts open them in isolated environments. The second screenshot shows the fake login page.

---

 

This phish spoofed a UVic email address but actually came from outside of UVic. As well as the empty subject line, there are plenty of red flags in the message content:

• The message instills a false sense of urgency and threatens an adverse impact.
• There are plenty of capitalization and grammatical errors, and the spacing in the last paragraph is weird. Indeed, the whole email looks like it was put together rather sloppily.
• The link shown to you is for a site on Weebly, a free website builder. No real UVic login page would ever be hosted on a free website builder.

If you hover over any of the links, you’ll actually see a Google redirect URL. Phishers may use a Google redirect or something similar to make the URL look less phishy and hide the real destination.

As always, don’t click on the links! If you did, reach out to the Computer Help Desk or your department’s IT support staff for assistance.

This phish creates a sense of urgency by pretending to be sent from human resources dept that if you don’t click on the link to update your tax information that could affect your pay. Phishing signs:

1. External sender address
2. The link is external (always check by hovering over the link).
3. Generic signature.
4. Fake sense of urgency.
5. Scary tactic.
6. Formatting issues.

Never be in hurry to click the links just because the email says so. Pay attention to the details and try to look for any red flags. Whenever in doubt, please confirm with the helpdesk.

This Outlook-themed phish has a lot of the usual red flags:

• The sender is not from UVic or Microsoft
• The greeting is impersonal
• The message contains numerous errors in grammar and capitalization
• The email tries to create a sense of urgency and threatens you with an adverse impact
• Hovering over the link reveals that it does not go to UVic or Microsoft

All of the above signs indicate that the link should not be clicked on.

This phish is circulating today. It is virtually the same as our previous posting just a different sender. The sender is  clearly external. The idea of keeping the same password doesn’t make sense. It is always better to change your password periodically with some new long phrase that you never used before. Our tips to choose a new password are published here:
https://www.uvic.ca/systems/support/loginspasswords/password/passwordtips.php

Here is a screenshot of the phish:

The goal is the same as usual – to steal your UVic credentials. For this purpose they created a fake UVic page – an exact copy of the real one. Please do not be curious and do not click these links, as sometimes they may contain malware to infect your computer instantly. Our experts open those in dedicated isolated environment.

This phish started arriving in the early hours today. The sender display name is formed by attaching _mail.com to the recipient netlinkID. Perhaps the malicious actor thought this would make it look more legitimate?!  The actual sender’s address is external.  Then they use the netlink and the email address of the recipient in the body of the message to make it more convincing.

The goal is the same as usual – to steal your UVic credentials. For this purpose they created a fake UVic page – an exact copy of the real one. Please do not be curious and do not click these links, as sometimes they may contain malware to infect your computer instantly.  Our experts open those in dedicated isolated environment.

Other variations of the subject line have also been seen.

This is a job scam email that is impersonating UVic, specifically the Department of History. There are several red flags that indicate that this offer is not legitimate:

• The sender is not from UVic–it’s a Gmail address. Unsolicited job offers from free email providers should always be viewed with suspicion.
• The capital I’s in the sender display name may look wonky depending on your mail app’s font. That’s because the scammer is actually using lowercase l’s.
• The greeting is impersonal and awkwardly worded.
• There are a few grammatical errors.
• The high amount of weekly pay for a small amount of remote work is too good to be true. Describing an urgent need for students is also suspicious.
• The email asks you to reply with your personal information via text message to get more information about the supposed job.
• The phone number provided doesn’t use a local area code–the area code in the example below is for Southern California!

If you got this email, do not reply to the scammer and definitely do not send your personal information or contact information to their email address or phone number (doing the latter might also incur a charge for long-distance SMS). If you did, contact the Computer Help Desk for assistance.

Update 2022-11-04: we have also seen some later variants of this scam that have added UVic Edge branding to make the emails look more polished and legitimate. The red flags above still apply, including the use of a (different) non-local phone number.

This scam is circulating today. The sender is some external compromised account (but could be any).

Whether a scam that would eventually try to extract money or a phish that aims to steal your credentials, our advice remains the same – never answer by email and never open the links – they may contain malware to infect your computer instantly. Our experts open these in dedicated isolated environments.

Another run of Canada post phish.

This phish is quite similar to the below given Canada post phish including the phishing page. Check the following post to spot the phish signs:

Pending Delivery – Canada Post

 

This phish is a re-run of the following phish already encountered by UVic:

RE: ICT-Service-Desk

Check out the above post to learn more about this phish.

 

This phish tries to convince you to click the link by saying that will keep your email and website safe, but in reality that would achieve the opposite outcome. There are a number of signs that this email is malicious:

• The subject line is empty except for “RE”
• The email did not come from a UVic sender
• The greeting is impersonal
• There are errors in spacing, capitalization, punctuation and grammar
• The signature line is generic

As always, hover over the link before clicking on it (or hold down your finger on it if you’re using a mobile device). While you would see a mention of UVic Webmail in the destination address, you would also see that it ends in “.weebly.com”. That means the page is hosted on the Weebly free website builder. Phishers often abuse Weebly and similar services to create phishing pages. A real UVic login page would never be hosted on a free website builder.

If you clicked the link, reach out to the Computer Help Desk or your department’s IT support staff immediately.

This high volume phish has been circulating since last evening. The subject of the phish might vary with different department names. This phish has been observed by other institutes as well:

1. https://www.wku.edu/its/phishbowl/emails/index.php?view=article&articleid=8234
2. https://itsecurity.umbc.edu/critical/post/98547/

This phish seems to be a way of spreading fake news. Please don’t respond to this email or forward it to your contacts.

 

This Canada post impersonation delivery phishes have become common occurrence at UVic. But this morning, UVic users received it in bulk.

It claims to be Canada Post but the email address is not from Canada Post domain. The link in the email is also not hosted on Canada Post domain. The email creates a fake sense of urgency that a package is waiting to be delivered. These types of emails can create curiosity in users to know what package they might have received even if they didn’t order it. The delivery cost demanded is quite low which is to let the user’s guard down and the user might take the risk and visit the link. The phisher’s here are not after the amount but the card information that a user might fill out on the phishing page hosted on the given link which is very good imitation of Canada Post page. (The link was investigated by InfoSec in a locked environment.)

Always think whether you were expecting a delivery or not. It is always best to confirm with the organization mentioned in the email via other means of communication before proceeding any further.

Phishing page:

The shared document phishes can get tricky to spot as the sender email address is a standard Microsoft sharepoint address. Hence, it becomes difficult to find out whether the document shared is phish or not. In such cases, first and the foremost thing is to think if you were expecting such document to be shared, do you know the sender (identified by sender name) if yes then confirm with the sender by other means of communication. If a UVic user will send a shared document from their online sharepoint, then the link will be hosted on ‘https://uvic-my.sharepoint.com/’ which is not the case for the link in this phish email. Always check the link by hovering over the link, never by clicking the link.