Author: Curtis Les

This phish has been making its way around many Canadian higher education institutions. It’s an email messaging asking to click on a link to listen to a voicemail message.

The ‘This Message has been scanned by antivirus and its safe’ messaging is a commonly used hook to make the email appear more legit. Other tricks the attacker is using here includes using a sender name spoof of ‘VoiceMail’, including the recipient email address as an ‘ID’, and including a nearly current date and time. The phishing email also attempts to convey urgency by stating the message will be deleted soon.

Some clear signs that this is a phish are that the sender is not from uvic.ca, and if you hover over the ‘Listen’ link (or long press on it on a mobile device), you can see it does not go to a uvic.ca website.

As usual, we recommend reporting phishing messages and deleting them. If you did click the link – even if you didn’t enter credentials – please change your passphrase and advise your IT support so they can check your device and advise Information Security to look for anything suspicious on your account and device.

 

IT Service Desk Phish

A very generic phish recieved by a lot of UVic users today. Always hover over (or hold your finger on a phone) over the actual link to see if it looks legitimate. Do not click if you are not sure, and ask your IT support professional for assistance.

A typical phish attempting to take advantage of similar, legitimate emails was recieved by a number of UVic users today. The example below received by our Computer Helpdesk shows how malicious actors attempt to hide that this is a fake email in the sender display name, the url display name, and the body of the email. The link uses a URL shortener service and leads to a real looking, UVic branded login page, with your email prefilled in.
If you are not sure if an email is legitimate, ask your DSS, CHD or IT support expert for assistance!

A lot of these phishing emails were recieved by UVic users today. This email appears a bit like a OneDrive file link email.
Always be mindful of the link, actual sending email address, and whether you expected an email.

As usual, criminals will take advantage of current events to try to trick people into clicking and submitting credentials. This phishing email appears more legit than most due to use of a compromised .edu account and clear, proper English. The login page was not very tricky or splashy, with clear red flags such as an unusual website domain and the password field is not obfuscated with ***.

Malicious actors constantly try different methods to trick users. This phish was received by a large number of UVic email accounts and was sent from a compromised account at another Canadian university. Rather than sending a link to click on, it lures people to text a number, that locals will recognize as typically Vancouver area code.

A text to the number will eventually result in a shortened URL that leads to a UVic looking login page to steal credentials if entered. After entering credentials, the page redirected to uvic.ca. The host URL has also hosted a fake login page from the other Canadian university; showing how malicious actors take successful results from one campaign and use it to spread to others to get more accounts.

This month, we became aware that several universities have been targeted by spearphishing emails with serious malware.  These emails use targeted language, come from compromised internal accounts, spoof (appear to be from) another internal account, and copy real email signatures. These tactics are used to make the emails look more legitimate. The emails include an .html or .dat attachment, which leads to an attempt to encrypt machines with Clop ransomware.

More information about these phishing emails, including example screenshots can be found here: https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/, such as this example:

Please report phishing emails using the Report Phishing button or by emailing it as an attachment to the Computer Help Desk.

Digital faxes have replaced most old school fax machines, and we do see fake emails trying to trick users into clicking a link to a fax. If you’re not expecting one, it is suspicious. If it appears to be from a vendor you know, considering calling them to confirm before opening.

This phishing email also used some odd website encoding for some of the text (e.g. ‘visiting below’) that only displays correctly in certain email software, such as Outlook.