Month: July 2023

Another massive phish today comes from google docs and points to a malicious document. The subject contains the name of the document.

Please do not open the document and do not enter any credentials.
A screenshot of the phish is shown below.

 

 

Andrew Shepherd shared a document
Andrew Shepherd (***.edu) added you as an editor. Verify your email to securely make edits to this document. You will need to verify your email every 7 days. Learn more[link to the malicious document]

Vasco Gabriel shared a file with you.

Summer Faculty Bonus.docx

Open[link to the malicious document]

Use is subject to the Google Privacy Policy[link to the google policy].

This phish is circulating since yesterday. It is clearly coming from some external email address. There is no personal greeting, and the whole text is pretty common, it does not even try to imply it was UVic related. The goal of course is to harvest credentials. Please do not be curious and do not click these links because sometimes they may contain malware to infect your computer instantly.

Subject: Account Storage

We have noticed some unusual activity and the warning limit of your storage email account. To ensure the security and increasing your mail storage, please click the button below:

Increase Mail Storage[link to phish]

If you cannot click the button, please click here.
Administrator
Help Desk

Who wouldn’t like a sizable salary increase, especially in these times when the cost of living has gone up so much? But that’s precisely what phishers are trying to prey upon when they craft these fake salary increase emails. Thankfully, they left plenty of red flags that you can look for to determine this email is fake:

• The email did not come from UVic–a real salary increase notice would come from a UVic email address.
• The greeting is generic and impersonal.
• The salary increase amount is too good to be true, especially since it’s not spread out over multiple years
• There are a lot of spelling and grammar errors in both the email and the file name.
• The signature block is generic and doesn’t mention UVic.

All of those items are signs that you should not open the attachment, as it will either contain phish/scam content or malware.

InfoSec ran the file through some specialized tools to safely examine the content. The results showed the file simply says that the document is protected and that you have to click on a link to view the actual content online. If you open a file and see something like that, contact the Computer Help Desk or your department’s IT support staff immediately for assistance, as that’s a sign that the file is not legitimate.

---

Subject: Salary Increase Notification Letter
From: Payroll Department <[redacted]@********u.edu>

Attachment: [PDF icon] Salary-Increasment-July…    80 KB

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear All,

Sequel to last week notification, find enclosed here-under the letter summarizing your 16.89 percent salary increase starting 21 July 2023

All documents are enclosed here-under:

NOTE:  Your Access is needed to go through the salary increment letter, Initial Access is Salary

Payroll & Employee Relations

If you get an unsolicited email with an attachment and you don’t recognize the sender, be extremely wary, especially if the message is very vague and only tells you to open the attachment. The vagueness is a ploy to try and get you to open the attachment out of curiosity. Don’t open such attachments! Many contain malware to infect your computer, and even ones that don’t are likely to either load a phishing site or contain a scam.

InfoSec staff use specialized tools to examine the contents in a secure manner. When we examined the attachment for this phishing email, it turned out to contain a job scam pretending to be someone from the World Health Organization. To quickly recap, here are the red flags that can help you identify the offer as a scam:

• The pay is too good to be true–this one offered $500/week for only a few hours a week of simple tasks.
• The sender does not match the name of the person supposedly offering the job.
• You do not need to go through an interview or meet your supposed employer (either virtually or in person) before getting the job.
• The email asks you to reply and/or provide contact information for a different communication method such as personal email, SMS or Google Chat. This is a common trick that scammers use to move the conversation to a place that cannot be monitored by UVic.

We have many other posts on job scams that are worth a read if you want to learn more about how to spot them.

---

Subject: Job Title
From: M******** Arrizki <m******arrizki@iconpln.co.id>

Attachment: [Word document icon] Remote Job Details.docx    23 KB

VIEW ATTACHED FILE FOR DETAILS

---

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus (ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

Please be aware of this job scam which tries to lure users with too good to be true offer. Although, it is well written but one can still spot the phishing signs, sender name and signature name doesn’t match. The email mentions about a college website where ours is a University, clearly this email was used to target some other institute and have been reused for our environment. The pay offered is way too high for the job described.

Here is a BBB article which describes such job scams in more detail:

https://www.bbb.org/article/scams/24708-scam-alert-pet-sitting-job-is-too-good-to-be-true

Never be in a hurry to give your personal information for job offers, always look for warning signs. Whenever in doubt contact helpdesk.

 

Subject: A Little Request
From: Ashlie Roberts [redacted external sender address]

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hello,

I hope this message finds you well. As a former staff member of the college, I recently came across your email on the College website. I wanted to reach out to you regarding an exciting opportunity. My uncle will be relocating to the college area this summer, and he is in need of someone who can provide care and attention to his beloved pets.

Specifically, he is looking for someone who can take care of his furry companions by sitting with them, taking them for walks, and ensuring they are fed properly. To make this arrangement mutually beneficial, he is offering a competitive weekly payment of $400.

If you happen to know any staff or students who might be interested in dog-sitting, I kindly request you to refer them to my uncle. They can simply send an email to [external outlook email for contact], providing their name, phone number, and email address. This will allow my uncle to get in touch with them and discuss the full terms and requirements of the job.

Thank you for your time and assistance. Your referral could potentially help my uncle find a reliable and caring individual to take care of his fur babies. Please feel free to reach out if you have any further questions or need additional information.

Best regards.

Christopher Rosenfelt

 

This job scam phish has been circulating today, which spoofs another Canadian institute email. Here is how you can spot this scam:

1. Subject doesn’t match the content of the emails.
2. Sender name and Signature name are different.
3. Too good to be true offer, paying way too high a wage for surveys.
4. External gmail address is provided for contact, which neither belongs to the sender institute nor the company mentioned in this email.
5. Alternate email and phone number are asked, this tactic is used by scammers to evade detection from UVic network protections in-place.
6. Spelling and grammatical mistakes.

Please be aware of such scams, always take a moment to look for red flags. In case, you have already fallen for this scam, please immediately stop any further conversation with the scammer and report it to helpdesk or your departmental  IT support.

Subject: Dear UVIC.
From: [redacted sender address]

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear University of Victoria Students/Staffs/Non-Staffs,

I am introducing you to a part time opportunity, you can show interest and apply after reading.

Opinion Outpost, A leading agency specialized in Global Customer Service Research, is expanding customer service research projects in Canada. This project takes place every week, they need to recruit Shop Elevators to do surveys on Local retail stores in your environment. Applications are welcomed from qualified individuals (18+) to become Store Evaluators. You will get paid $400 – $500 on each assignment/evaluation

JOB DESCRIPTION:
* You will be assigned to visit a Retail store.

* You will be sent funds and instructed to purchase a few items from the store. You will then finish an on-line questionnaire to share with us your customer experience.

* Most of the time you will only need to spend 20 minutes on the visit.

To register for this survey, you are required to fill out the form below and send it to: [scammer’s gmail address]

Full Name:
Address:
Alternative Email Address:
Cell Phone Number:

Thank you for the participation, you will be contacted as soon as your application has been received.

Regards,

Basil Mervyn.
Recruitment and Job Evaluation Advisor.
Opinion Outpost.

Similar to cases we saw in May and June, job scammers are impersonating real UVic professors to make their fake offers look more legitimate. The red flags remain the same as before:

• The emails are coming from Gmail addresses. A legitimate opportunity should be coming from a UVic email address.
• The sender name does not match the name of the professor supposedly offering the opportunity. Inconsistencies like this are often a sign of a scam.
• The salary offered is too good to be true, especially for a small amount of casual work to be done in your free time.
• The email requests your contact information for a different communication method, in this case Google Chat. This is a trick to move the conversation to a place that can’t be monitored by UVic.

Do not reply to these offers–these scammers are usually trying to defraud you of money in one way or another. They may ask you to transfer money using your own funds (with a promise to reimburse you that will never materialize) or ask you to buy gift cards and send photographs of them. If they ask for personal information such as your driver’s licence or passport, do not provide it or you may be at risk of identity theft.

If you responded to the scammer, contact the Computer Help Desk for assistance, especially if you sent money or personal information. If you forwarded the email to other people, recall the message and warn the recipients as soon as possible.

---

From: Franka Arden <farden***@gmail.com>
Subject: Work Part-Time

The service of a Department Assistant is urgently required to work part-time 12hours/week and get paid $650 weekly. Tasks will be carried out remotely in your free days/time.
If interested, submit a copy of your updated resume and a functional google chat email address to our Department of Economics via this email address to proceed.

Sincerely
Dr. [redacted]
Associate Professor
Department of Economics
Office: BEC ***

Gift card scammers impersonate people in positions of authority to try to make requests look legitimate and prey on people’s desire to be helpful. This example impersonates UVic President Kevin Hall, but other popular impersonation targets include VPs, faculty deans and directors.

Always pay attention to the sender address for emails that claim to be from someone in a position of authority. This one came from a Gmail address, which is a big sign that this email is not really from the president. A real email from the president or any other UVic authority figure would come from their UVic email address (although you still have to be wary in case that was spoofed).

Another bad sign is the fact that the scammer asks to continue the conversation via text messages and wants your phone number for that reason. Requesting your contact information in order to move the conversation to a different method is a common trick that scammers use to avoid detection. Finally, the errors in punctuation and capitalization and the overall vagueness of the message are also signs that this request is not legitimate.

If you replied with your cell phone number, ignore any text messages that come from the scammer and reach out to the Computer Help Desk or your department’s IT support contact for assistance. You will also need to be on the lookout for future phishing and scam attempts via phone or text message because your phone number is now in the hands of a scammer.

---

From: Kevin Hall <d******compton0@gmail.com>
Subject: Please

—
Hello, Got a moment right now?, kindly text back with a number I can text you on.
Kevin Hall, PhD
President