Author: Arshdeep

As we were looking forward to the weekend, phishers were looking forward to phishing. This phishing email has the usual telltale signs:

1. External sender, why would an external sender be involved in updating UVic’s privacy policy.
2. The UVic mark in the email is just to trick the recipient’s into believing that it is coming internally from UVic.
3. Threatening in a polite way, if you do not update you would face login interruptions.
4. No salutation or signature.

Don’t be in a hurry to click on links or taking actions suggested by the phisher. Always take a moment to think and look for phishing signs. If in doubt, you can always confirm with help desk or your DSS support.

We received this phish today morning. If looked closely, you can find the phishing signs easily. Here are the signs:

1. Sender posing to be ‘Help Desk’, but email address is external.
2. Generic salutation.
3. The link is external, find out by hovering over the link, hidden behind ‘uvic.ca’ but it is actually an external link. The domain name is created to confuse the recipients as it is ‘uvicca3’ (not uvic.ca). Always pay close attention to the domain name.
4. Vague signature. Not legit helpdesk signature.

Always think and look for phishing signs as those mostly are easy to spot. Do not be hasty in taking the actions recommended in the phish email.

 

This phish was received by many recipients in our organization last evening.

It has usual phishing email signs:

1. Subject line doesn’t make sense, salutation is the subject line.
2. External Sender (see sender email address) but posing to be ‘uvic.ca’.
3. Generic salutation.
4. Sense of urgency, reset password was requested but click to keep your current password. Although, the language used is more confusing than urgency but still can lead to hasty actions on recipient’s part.
5. External link, UVic will never ask you to fill your credentials on external webpage.

If in doubt, better to contact helpdesk or your DSS than clicking on links yourself.

 

This email was received this morning. In the subject line, the ticket no. (in curly brackets) varies by the recipient.

As typical of phishing emails, this email also has signs that reveal it to be phish. External sender (check the email), no greeting, creating a sense of urgency, the link is external (never click on the links, always check by hovering over it), no legit signature.

You can protect yourself just by taking a moment and looking for the phishing signs. Never be in a hurry to take the action suggested by the email, there is a reason why phishers create urgency situation emails. If in doubt, contact helpdesk or your DSS.

This email was mostly received by recipients in a particular department, hence could be a case of spear-phishing.

It had the usual tactics of creating a sense of urgency that your email account is about to expire so verify it by clicking on phisher’s link.

Warning signs: sender name is ‘Uvic Notification’ and sender email is external, vague signature ‘Web Administrator’ (not a UVic signature), if you hover over the link you would know the link is external (you will never be asked to verify a UVic account on a external domain).

Whenever in doubt, you can contact your DSS support or helpdesk for confirmation. It is always best to be cautious than be curious.

Apart from the heat,  Tuesday morning also brought us phish, received by around 700 recipients. This phish has two subjects either ‘Email Update’ or “Urgent Update’.

Signs that make this email a phish:
1. Weird sender name ‘HelpDesk Admin CA’, this title doesn’t make sense and the way it is formatted is phishy.

2. Sender email is not internal.

3. Scary and urgency  tactic, stating that system update detected anomalous activity and a virus, so verify account within 24 hrs.

4. Vague signature ‘Administrative assistance’.

5. Big red signal, hovering over the link reveals that it is not a UVic domain link. Your email is hosted on UVic domain then how putting your credentials on an external website will help in verifying your account?

Always think what would the email look like if it were to be legitimate. Who the sender would be, what would be the sender’s email, what would their signature be, how would they address you, or would the link be UVic domain or an external entity. These simple tricks can help you detect phishing emails. Whenever in doubt, rather than clicking on links, reach out to help desk for confirmation.

This morning we received a phish trying to lure students for a paid part-time job. What makes this email a phish? Let’s see:

1. The phisher claims the email is from UNESCO but the email domain of the sender is not unesco.org.
2.  Too good to be true offer! Trying to attract recipients with a lucrative offer, good old social engineering trick to reply to the phisher.
3. The phisher wants the recipients to contact with an alternate email address. Warning bells!! Why do they want that? To evade the University network  security.
4. Email signature is too vague.

 

The pdf attachment further contains language to trick individuals into replying to the phisher, such as, no need for an interview, if you do a good job they will consider you for a long-term position.

Never reply to emails which try to lure you with too good to be true offers or states an urgent situation. Take your time to think, and then react if need be.

Never open attachments in emails which you were not expecting. This attachment was viewed by Information Security Office in a safe environment.

Yesterday evening we were hit with massive phish, around 11k recipients.

Telltale signs:

1. Giving you the bait of 16.89% salary increase. Too good to be true!
2. Why would your salary increase notice be coming from ‘University of British Columbia’?
3. Although it says sender is ‘University of British Columbia’ but if you look at the email account, it indicates University of Alberta.
4. General Salutation, ‘Dear All’.

Whenever you get such phish emails, STOP before taking any action and THINK who would send you such an email if it were to be true. It would never be an external sender and would never have an attachment.

Never open any attachments  unless you were expecting one.

The attachment actually leads to the following sign in page. Hence, this phish is after your credentials.

 

The attachment was opened by InfoSec team in a safe and locked environment. Never be curious to do it yourself.

The new phish batch just arrived using a different ualberta account. Phishers corrected their mistake and changed the sender to ‘University of Victoria’, so as to appeal to our audience.

As we were enjoying our weekend, phishers were busy phishing.

Sunday morning we received large amount of phish, around 1K recipients. Telltale signs of this phish are: outside sender pretending to be UVic finance payments, no greetings let alone generic one, random attachment. The phisher was very thoughtful and has given the disclaimer at the bottom that it is the responsibility of the recipient if the attachment has virus and it affects your system.

Please be advised never be curious to open attachments if you were not expecting one.

The attachment is a fake PDF document asking for your credentials to open it. Hence, this email was to phish for your credentials.

This attachment was opened by Information Security Office in an isolated environment. Please never try to open any email attachments it can affect your system and UVic network.

 

Major phish hit observed by UVic community today.

This phish has the regular signs of spotting it. Generic greetings, created a sense of urgency that your accounts would be deactivated if not validated, sender is non-UVic: implying to be UVic IT service desk but the email is non-UVic. Hovering over the link reveals that it is not a UVic page, but the phisher tried to confuse by adding ‘uvic-ca’ to the URL.

Kudos to everyone who reported it!!!