Month: November 2021

This phish is circulating today, but we have seen similar in the past and perhaps there will be more in the future. What is common — they contain a malicious .htm or .html  attachment.

The one from today (see a screenshot below) raises too many red flags:

• It comes from some external sender.
• Voicemail from Teams???
• Claims the size to be 12Mb but it is actually very tiny.
• A voice recording wouldn’t come in a html file

Please ask the Helpdesk or your dedicated Desktop support person but never open these attachments if not sure about their legitimacy.

This one in paricular contains a link which loads up automatically in the browser when you open the attachment.  That page contains scripts that start downloading malicious content onto your computer.

Malicious PDF attached to fake UVic Shared Document phishing campaign.

No content or context included in message. Note the external warning banner and the non UVic email.

We recommend that where possible you configure your email client to not only show the “Friendly Name” of the sender but also the full email address.

Friday Campaign #1: Fake Account Termination campaign with link landing on fake Outlook Web Access (OWA) logon.

Note the sense of urgency this perpetuates.

Reminder that any account access concerns can be remediated with a consult with the Computer Help Desk. This is not a communication from our University Systems team.

This morning’s fake HR/Payroll notice redirects to a suspect logon form in attempt to grab your credentials (username/password). This is not a legitimate mailing from UVic nor our HR/payroll office.

If in doubt, avoid the links and contact the Payroll office directly to verify.

This morning’s phishing campaign is a fake Covid-19 campaign. Although the scammer made use of our logos etc., the link goes to a malicious cabanova.com web page.

This is not a legitimate mailing or UVic funding campaign. Please advise your IT Support contact or the Computer Help Desk if you have clicked this link.

Many UVic users received this phish today. It uses the UVic logo and a malicious link is disguised to look like belonging to UVic. In fact it points to an external address which you can see by hovering the mouse pointer over the link.
Obviously the sender is also external.

---

 

---

 

As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.

This phish was received by numerous  UVic recipients this morning. The malicious actors used the usual tactics – to scare the recipient to act fast in order to prevent their account from deactivation.
The link points to a webpage in the .hu domain which belongs to Hungary.
The senders addresses are different but most appear to be in the gov.jm  and go.ug domains.

This phish is circulating at UVic today. The malicious actors put some more effort this time. Not only the sender is spoofed to look like a legitimate UVic address but they used the UVic logo and the real address and phone number of the UVic helpdesk.
The link points to a webpage in Mexico designed to look as if belonging to UVic.

 

 

---

And below is a screenshot of the fake page  designed to steal your UVic credentials.  As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.

 

Another phish of this kind is circulating today.  It uses the usual tricks – something is wrong and you should act quick. The link however points to an external page.
That page looks like the standard OWA (Outlook Web Access) and is designed to steal your UVic credentials. See below screenshots of the phishing email and the OWA page.  Note the sender’s address.

As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.

 

Notice the green “From a trusted sender” banner in this email. That is not a banner that the UVic email system added; it was actually added by the phisher to make the message look more trustworthy. Interestingly, the phisher also uses the recipient’s own email address as the spoofed sender.

The phishing link is an interesting example. If you hover over the “Confirm now” link, you’ll see that its destination starts with uvic.ca. But look closely at the domain of the link, that is, the part before the first “/” (outlined in red in the screenshot below). The link actually goes to uvic[.]ca[.]1web-portale[.]ga (square brackets added by me for safety reasons), which is a spear phishing domain designed to trick people into thinking the link goes to the UVic website.

Today, a lot of UVic employees received an email impersonating a chair/director/manager and trying to extort money. You can see a screenshot below. Clearly the sender is not internal, it is another “director” account registered at gmail for the sole purpose of scamming.  Your director would not ask you for such a favour by using their gmail. Even better – you can confirm with your director/chair/manager that they would never ask for a favour like that by email.
If in doubt – try to find them by using another channel e.g. a phone call .

Note also that the scammer missed to capitalize “I” 3 times in that letter.  Mistakes like that are common in scams.