Month: January 2022

This phish was received by many UVic recipients today.  The usual tactic is employed – to scary the recipient to act fast, otherwise their password (allegedly) would expire. We don’t send such emails.
Note also the sender address — clearly external.
If you hover the mouse over the link (without clicking!) you will notice it is not a UVic address there. That link redirects to another which contains a CAPTCHA, to imply legitimacy, and after that you end up with the usual login page designed to steal your UVic credentials. The page contains your UVic email address thus implying you are at the right place. You are not.

=================================================================

 

This is how the fake page looks like:

It is important to remember that in some cases just loading the web page may get your workstation infected. This is why we always suggest not to be curious and not to click on such links even for a quick look. Our experts open those in dedicated isolated environments.

Always be wary of shortened URLs in emails; phishers often use them to hide the true destination of the link, as is the case in this example. The phisher made the effort to pick a TinyURL containing UVic to make it look more legitimate. Also, note that this was sent from a Gmail address, which is a sure sign that this is not from a UVic system.

You can often find the real destination of a shortened link by using an unshortening service like unshorten.it – below is the result of running it on that TinyURL, and you can see the destination is not uvic.ca.

This phish claims to be from canada.ca and the Canadian health care system, but hover over the link and you will find that it does not actually go to canada.ca or a site on .gc.ca (it actually goes to an out-of-country site). Similarly, the sender address is also not from either canada.ca or a .gc.ca site.

For information about the real COVID-19 proof of vaccination, click here, or go directly to canada.ca and find the appropriate link on the homepage.

COVID-themed phishes will continue to be common while the pandemic is ongoing. This one sounds too good to be true–saying that your email address was randomly selected to received sponsored products is just a ploy to get you to click on a phishing link disguised as a survey.

An interesting tactic that the phisher employed in this one is attaching a calendar file containing the same phishing link as the email message itself. This is because some calendars may default to automatically adding calendar items from incoming emails. Worse, some may even default to triggering notifications for them on your device even if you didn’t RSVP, meaning the link could appear among your device notifications (a place where the phisher is hoping your guard will be down so that you’ll be more likely to click the link).

You can read more about calendar phishes in this article from WIRED.

Similarly to our previous post, this phish was received by many UVic users today.
Such attachments may contain malicious scripts and macro’s. They may come from external senders but they may come also from internal compromised accounts. If unsure, ask your desktop support person for help, don’t be curious and don’t rush to open the attachments.

This generic phish was sent to a large number of people today. Always hover over the link before clicking to check if the link is safe If you were to hover over the link you would find it does not go to uvic.ca or a Microsoft site, indicating the link is not safe.

If you clicked on the link, contact your department’s IT support staff or the Computer Help Desk immediately.

Legitimate cloud file sharing services like Google Docs and Microsoft SharePoint Online are frequently abused by phishers. The examples below attempted to impersonate one of UVic’s deans in an attempt to make the phish look legitimate, but note the errors in capitalization and grammar in the document description.

Version sent via Google Docs:

Version sent via SharePoint Online:

Both versions lead to a file with a Google Docs logo and instructions to click another link to view the real contents (which is a red flag as well). That link goes to a phishing page on Google Forms. Never enter login credentials on Google Forms or other free web form builders; no genuine login page would ever be hosted there.

Update 2022-01-19: there is also a version from SharePoint Online that impersonates President Kevin Hall.

Many UVic users received a phish with this subject today. The text of the email looks quite trivial (see a screenshot below) but it leads to a very well copied fake UVic login page (also shown below). Another variation leads to a fake VPN login page. Note the address of the sender is external. Also it is easy to spot the links are external if you hover with the mouse cursor on those.  Please do not click on them, do not be curious. Your computer may get malware even just by visiting such pages. Our experts investigate them by using specially  isolated computers.

The email:

 

The fake login page:

The fake VPN login page:

“Voice mail” phish has been around for years.
Yet some people see it for the first time and may fall victims. Generally it claims you have a voice message to hear. You click on the attachment but rather than a voice recording it is a html file which contains malware, or in more sophisticated cases – it redirects you to an external web page where you are supposed to hear the promised recording. That page may or may not require credentials – if you put your UVic credentials they get stolen and the attacker has access to all UVic resources that you have access to. The “recording” may in fact be malware which will take control of your workstation the moment you load it.  Moreover in some cases just loading the web page may get your workstation infected.

This is why we always suggest not to be curious and not to click on such links even for a quick look. Our experts open those in dedicated isolated environments.

Same trick is applied with all kinds of  alleged “documents”, for example the subject “Scanned documents” is heavily used by scammers.

---

Note the sender’s address and the .htm attachment.