Phish with excel file attachment

Phish with attached excel file has been circulating this morning. It has different subjects such as “Fwd: Products#<random number> “, “PO# <random number>”, or “Scan#<random number>”

These phishes are being send by many different random senders. Email body is also different but generally mentioning about some payment that needs to be remitted. In any case, the attacker is luring the users to open the attachment so that malware can be installed on the devices.

Please be aware of email attachments and open only the ones you are expecting and being send from a known sender. If still in doubt, always confirm with sender using a known contact information.

Phish with malicious excel file attached.

Subject: PO# W1834414259
Sender: Mariana Benitez <****@minaretmusings.com>
Attachment: scan-28-02-24_591.xlsx

Dear,
Repairs made to both the tire changer and the balancer. 2024 spec updates for the alignment machine.
Your invoice-RCH224-735 for 2,560.31 is attached. Please remit payment at your earliest convenience.
Thank you for your business – we appreciate it very much.
Please make payable to our company.

“Hello!” or “Greetings!” job scam email

These job scam emails appear to have come from compromised accounts at another Canadian university. Always evaluate whether the content of the email looks legitimate, even if it came from what would normally be a reputable source (even if it came from within UVic!).

This email has many of the typical signs of a job scam:

  • The email directs you to reply to an AOL email address from your personal email. If you are asked to apply to a job by contacting an address from a free email provider, in all likelihood it’s a scam. The request to shift to personal email is a tactic to shift the conversation to a place that UVic can’t monitor.
  • The salary is too good to be true.
  • There are no details about what the job involves.
  • There are grammatical errors including mistakes in capitalization.
  • The email claims to offer a job with the World Food Programme, but they did not send the message and the name of the contact person doesn’t match the name of the sender of the email.

If you replied to the scammer, contact the Computer Help Desk immediately for assistance.

Job scam email claiming to offer a generously paid part-time job with the World Food Programme

From: [redacted]@**********.ca
Subject: Hello!

I am sharing job opportunity information to anyone who might be interested in a World food programme Part-Time job with a weekly pay of $600.00. If interested, kindly contact Dr. Mattias on his email address. b******b@aol.com for details of employment.

You can contact him from your private E-mail address only.

“Work-Study Opportunity” and similar job scam emails

These job scam emails are very similar to previous ones we’ve written about. Scammers are continuing to try to take advantage of students’ financial need by offering a relatively generous amount of pay for a small amount of remote work.

Other red flags:

  • The email came from a Gmail address. A real UVic job offer would come from a UVic email address. Job offers sent from addresses from free email providers are typically scams.
  • The name of the sender doesn’t match the name of the professor supposedly offering the job. Inconsistencies like this can be a sign of a scam.
  • The scammer wants to shift the conversation to Google Chat. This is a common tactic to move the conversation away from UVic email to evade monitoring.

As always, if you replied to this email, contact the Computer Help Desk immediately for assistance.

Job scam email impersonating a UVic geography professor, sent from a Gmail address

From: Nwabueze Ekene Precious <[redacted]@gmail.com>
Subject: Work-Study Opportunity

The service of a student is urgently required to work part-time as a student assistant and get paid $250 weekly. Tasks will be done remotely and work time is 8 hours/week. To apply, kindly submit your resume and a Google chat email address to the Department of Geography via this email address to proceed.

Sincerely
D***********
Professor
Department of Geography
Office: [redacted]

Please find the attached

Just because a message appears to come from within UVic doesn’t necessarily mean it actually did. This example actually came from an external source but spoofs a UVic sender address.

Always be wary of unsolicited or unexpected emails that contain attachments since the attached file may contain malware, as is the case with this email’s ZIP attachment. The brief, vague message body that gives no indication of what the supposed documents are about is an additional red flag. If you clicked on the attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Vague email with a spoofed UVic sender that contains a malware-laced ZIP attachment

From: *******@uvic.ca
Subject: Please find the attached

Attachment: [ZIP file] Docs.zip (3 KB)

Please find the attached documents.

Thanks.
Khelmer

You have got an urgent message from The University of Victoria

This targeted phishing email takes the unusual step of asking you to send a text message to a phone number. Trying to quickly shift to a different communication method is often a red flag; phishers (and scammers) do this to move the conversation to a place that UVic can’t monitor. Real UVic communications will never ask you to send a text message to upgrade/keep/secure your account, and the fact that the phisher is using a phone number with a New York City area code is a further sign that the email is not legitimate.

Other red flags include:

  • The email was sent from a Gmail account. Note how the email system has added a warning that you don’t often get email from this address; this can be a sign that the sender is not someone you know already and may not be trustworthy.
  • The greeting is impersonal.
  • The email threatens you with an adverse impact to try and get you to act hastily.
  • There are a few grammatical errors and awkward wording choices.

If you texted the phone number in the email, disregard any instructions in any replies you receive and block the phisher’s phone number. You will also need to keep an eye out for future attempts to phish or scam you via SMS or phone calls as your phone number would now be in the hands of someone malicious.

Spear phishing email claiming to be from UVic when it actually came from a Gmail address. Instead of including a link, it asks you to text an American phone number.

From: ke*****1280@gmail.com on behalf of University of Victoria <g1*****+UniversityofVictoria@gmail.com>
Subject: You have got an urgent message from The University of Victoria

[You don’t often get email from g1*****+universityofvictoria@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification]

Dear User,
This is to let you know that our web-mail server will be upgraded and maintained soon.

If you don’t want your e-mail account to be terminated during the upgrade,

Send your “UV-UPGRADE” to (646) ***-****

You will receive instructions on how to upgrade your account via text message.

If you do not comply with the above, your email access will be disabled.
Please accept our apologies for any inconvenience this may cause.

Regards
System Administrator
University of Victoria

Request for refund

This phish was received by many UVic mailboxes this morning. It seems to come from a UVic address, but there is no such address – it is spoofed by the external sender. They set however an external “reply-to” address. Please do not reply with anything and do not open the attachment. The zip contains a malicious file loaded with trojans.

Hello!

I hope this email finds you well. I am writing this mail to inform you that the item i purchased has been damaged.
if i wish to return it and get a refund, i would like to know the procedure. I tried contacting the phone number, but
none of my calls was answered.

I would appreciate it if you could look into this and get in touch with me as soon as possible.

Attached is the proof of the damaged item.

Thanks.

Peterson Webley..

 

Please confirm receipt..

Always be extremely wary if you get an unsolicited email with a ZIP attachment, especially if the sender address isn’t one that you recognize. There’s a good chance the attachment contains malware, and that holds true for this example. The vagueness of the message and poor grammar are also red flags.

Do not click on the attachment–if you did, contact the Computer Help Desk or your department’s IT support person immediately! Also, do not forward these sorts of emails, even if your intent is to warn others, because forwarding the message inline will leave the attachment exposed where someone else can mistakenly click on it (it’s safer to send a screenshot instead).

Malicious email containing a malware-laced ZIP attachment.

From: ga******@******group.com
Subject: Please confirm receipt..

Attachment: [ZIP file] 87645345.zip (4 KB)

Hello,

Please acknowledge upon receipt of my today payment.
via (e-transfer)

Thanks

Irene Cordero.

You received a new Voice_message Phish

This phish has been making its way around many Canadian higher education institutions. It’s an email messaging asking to click on a link to listen to a voicemail message.

The ‘This Message has been scanned by antivirus and its safe’ messaging is a commonly used hook to make the email appear more legit. Other tricks the attacker is using here includes using a sender name spoof of ‘VoiceMail’, including the recipient email address as an ‘ID’, and including a nearly current date and time. The phishing email also attempts to convey urgency by stating the message will be deleted soon.

Some clear signs that this is a phish are that the sender is not from uvic.ca, and if you hover over the ‘Listen’ link (or long press on it on a mobile device), you can see it does not go to a uvic.ca website.

As usual, we recommend reporting phishing messages and deleting them. If you did click the link – even if you didn’t enter credentials – please change your passphrase and advise your IT support so they can check your device and advise Information Security to look for anything suspicious on your account and device.