Authentication Error – You have some pending messages

Message is advising you that you have pending messages and a warning that you email is blocked. Scare tactic to get you to follow-up quickly

There are two malicious glitch.me links here. One at the time of assessment was broken, the other lands on a Fake Zimbra Email Service logon page.

This is not from the UVic Help Desk.

…@uvic.ca Verification – fake UVic Web App

Attempting to alarm you into clicking the link before you lose your email service, this phishing campaign lands on fake page asking you to verify a captcha prompt before landing on a fake UVic Web App logon page.

This is not a legitimate UVic mailing nor website. When you hover over the provided link you will see that this is not a UVic email service.

Friday Campaign #2: Fake UVic Shared Document

Malicious PDF attached to fake UVic Shared Document phishing campaign.

No content or context included in message. Note the external warning banner and the non UVic email.

We recommend that where possible you configure your email client to not only show the “Friendly Name” of the sender but also the full email address.

Account Termination (action requested)

Friday Campaign #1: Fake Account Termination campaign with link landing on fake Outlook Web Access (OWA) logon.

Note the sense of urgency this perpetuates.

Reminder that any account access concerns can be remediated with a consult with the Computer Help Desk. This is not a communication from our University Systems team.

Fake November HR /Payroll Notice

This morning’s fake HR/Payroll notice redirects to a suspect logon form in attempt to grab your credentials (username/password). This is not a legitimate mailing from UVic nor our HR/payroll office.

If in doubt, avoid the links and contact the Payroll office directly to verify.

UVic Covid-19 Support

This morning’s phishing campaign is a fake Covid-19 campaign. Although the scammer made use of our logos etc., the link goes to a malicious cabanova.com web page.

This is not a legitimate mailing or UVic funding campaign. Please advise your IT Support contact or the Computer Help Desk if you have clicked this link.

Microsoft account team

Another abuse of the wix web hosting service. This one is a fake quota warning attempting to cause anxiety about losing your ability to send or receive email. Consider their warning. Why would you have to verify your account because of a quota block? If you want to check anything related to your “account” ignore the link and go straight to the UVic Portal.

Any email processing issues not quickly resolved by a search of our UVic Support pages can quickly be explained by making a call to your IT Support contact or the Computer Help Desk.

 

Fake Remittance Copy: On Thursday, October 14, 2021

Another one from yesterday posing as a remittance payment. For those of you who handle plenty of accounting related processes, you can be a target here. Others of us expecting payment for some service, if curious or assuming the timing is right, may not recognize the red flags right away. Note sender. Note external banner.

Some UVic staff will expect and deal with external vendors and mailings all the time. So it’s particularly important to use caution. Ask yourself if you are expecting payments, is this a known vendor, do you have a purchase order etc. that matches such a payment?

For those of us that would only expect such a payment from a UVic source, using external banner warnings lets you know this was not sent from UVic. Some guidance on the availability of these banners and other options are available here.

In this case, this is not likely a known or expected sender. Always pause, check the accounts that should have or will receive any expected payments. Verify. Verify.

Pause. Receiving an HTML attachment is likely less common and more often not legit at all.  Any attachment can be problematic or malicious including the common PDF or Word document. Treat any attachment as suspect.

Downloading and executing this malicious .html attachment eventually leads to a prompt for you to give away your credentials by logging in to a fake logon window.

If you have concerns or questions about such an email and/or attachment, or would like another set of eyes to examine the email, do not hesitate to contact your department IT support or the Computer Help Desk.

 

 

If you do not verify your account…

 

One of today’s phishing emails plays on encouraging an urgent response.

There are many flags in this messages.

  • “Your account will be suspended”?? No. Your account will not be suspended. There are many scenarios where you account may become inaccessible. If you cannot rectify it yourself from your UVic Portal,  typically a quick call to the Computer Help Desk should get you going again.
  • Who does the email seems to come from?
  • Why is it being sent to an email that “looks like” a Microsoft email? Is it a legit Microsoft email?? No, it is not.
  • Did you previously receive “multiple confirmations” that were verified to be legitimate? *This is perhaps a play on the volume of email you receive and how busy we are.
  • We will never ask you provide your email, username and password after clicking a link. In that very very rare scenario, you would have requested information but typically we will direct you to go to the UVic Account Portal.

This site will land on a Fake Outlook Web Access  (OWA) logon page. Note that in this case, there is a Wix banner. UVic does not host advertisements on the OWA logon page.

Revised Salary Schedule

Today’s phish is similar to the Updated Salary Schedule campaign we saw on Wednesday, only, instead of a PDF attachment, you are guided to click a problematic link.

You probably were not expecting a revised salary “schedule” and if you were, always best to check with your payroll service. The linked site is currently down but this is not likely the last of the variants of these malicious benefit and salary campaigns that we will see.

ACCOUNT SHUTDOWN NOTIFICATION

A common tactic used by those sending phishing campaigns is to alarm you with urgent and disruptive messaging. They want you to panic and attempt to rectify quickly urging you to click their link. We do not send these sort of mailings. If you discover problems with your account, you can call the Computer Help Desk for assistance.

Although a UVic email was spoofed here, you’ll notice that in this sample there are two external banner warnings letting you know this was not sent from UVic. Some guidance on the availability of these banners and other options are available here.

If such a mailing does seem or look legitimate, PAUSE and instead of clicking links, go to the UVic Portal to check on your account or contact the Computer Help Desk.

Thank you to those of you who continue to report these suspicious emails.

“Unusual Activity” Email with Fake UVic Logon

We are seeing a fake “Unusual Activity” warning asking you to click a non-UVIC link to at 1apps.com. We do not use this service and if ever needing to change or update information with your account, we will not send you a link to do so.

Unusual Activity

For any account updates, changes, verification, etc, always go directly to your “known good” uvic.ca portal instead of following email links.

You also will not receive abrupt threats indicating your account will be terminated or disabled. Any de-provisioning actions will be tied to regular communication protocols typically with much advanced warning.

The link will bring you to a page that does look like uvic.ca with mask mandate banner and all, but pay close attention to the Internet Address. This is not a UVic service.

Fake UVic Logon

Thank you for your continued reports of suspicious emails. If you have any concerns, please do not hesitate to contact your IT Support, or the Computer Help Desk where they will escalate to us as appropriate.

Fake IT Help-Desk cyberattack case

Another scare tactic. Fake IT Help-desk message reporting high-level case/incident and requesting you to fill out of form to acquire new security software.

Again the sender email looks suspicious. You may or may not see that depending on the email client you are using.

IT Help Desk

The logon page may raise your suspicion as well. If you accidently click and submit your username and password, it will behave as if it was successfully accepted.

You’ll also notice this supposed support site is hosted on *moonfruit.com, another commonly exploited and abused service for phishing campaigns.

logon page

Most major software deployments would typically be coordinated with your assigned IT Support person and commonly there would be some internally shared communication as a precursor to such deployment or notice.

Fake Public Health Agency of Canada Logon and Assessment Form

Taking advantage of the more recent heightened concerns about the Covid19 Delta variant, this phishing campaign leads to a Fake Public Health Agency of Canada, asks you to logon and then asks you a couple of general health questions.

fakecovid

The intent is to capture your login details and acquire sensitive personal health information.

Hovering over the Internet Address/URL in the body and/or if clicked, looking at the full URL, you can see this page is hosted at 000webhostapp.com, a commonly abused domain for such phish campaigns.

Depending on how you view this email, you may or may not note the suspicious email address as well. See above capture.

covidform

If you do not detect this as a phishing scam and do submit information in the form, it will quickly accept your submission and redirect to an IPAC site. 

ipac
IPAC

Please continue to be vigilant in reviewing these emails and thank you for all of the phishing submissions. Do not hesitate to contact your support person should you have any concerns.