Author: Mario Ivanov

Similar to the ‘grand piano’ scam, other large items, such as welding tools, are also being offered in recent scams. The common thread among all these offers is this: if you express interest in the item, you are asked to pay for the shipping costs. The scammers’ goal is to get you to send them a payment using non-refundable money orders or gift cards. However, after you pay the shipping cost, you will never receive the item you were expecting.

From: Dr. <real name of a UVic person>  <****@gmail.com>
Sent: Tuesday, May 7, 2024 3:59 AM
Subject: Disposal of welding machine and tools boxs

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear Student/Faculty And, One of our staff in University of Victoria , <redacted name> ( Coordinator, Academic Administration) is downsizing and looking to give away her late dad’s Miller 951937 Dynasty 300 TIG Welder w/ TIGRunner Pkg & Wireless Foot Control, With A Complete Set Of Snap On Tools Box And Accessories. If interested in any of the equipment kindly indicate by sending him a mail via your personal email for a swift response. to indicate your interest in any of the listed items contact him on his private email address (****@outlook.com ) to arrange delivery with a moving company.

Sincerely,

Dr. <redacted real name>

MEMBER OF THE BOARD

Practically this is the same scam that we posted about last time. It was received by many UVic recipients last night. The text is the same as before, the sender is some compromised account at another organization and the subject this time is just “WPF”.  Please do not be curious and do not open the attachments in such scams, do not click links and do not reply to scammers (even for fun!!!). By replying you supply back information that your email exist, you are not on vacation, etc.

 

—

I am sharing job opportunity information to anyone who might be interested in a paid World food programme Part-Time job with a weekly pay of $750.00. If interested, kindly contact Mattias on his email address (***@outlook.com) for details of employment.

N.B, this job is strictly a work from home position.

This phish is circulating today. It applies the usual tactics of scammers to scare the potential victims that something is wrong and should should act fast.  The sender is external, the link points to an external site designed to look like a UVic login page with the goal to steal your UVic credentials. Please do not be curious and do not click the links because sometimes they may contain malware to infect your computer instantly.

Here is a screenshot and transcription of the phish:

Your University of Victoria account has been filed under the list of accounts set for deactivation due to retirement/graduation/or transfer of the concerned account holder. But the record shows you are still active in service and so advised to confirm this request otherwise give us reason to deactivate your account.

Please Verify your UVIC account immediately to avoid Deactivation Click

UVIC<link to external site>

Please note this one-time submission and entry only..

Warm Regards,
Office of the Registrar

The tax return season has started, and scammers have begun exploiting this period again. Typically, they try to persuade you to click on a link by pretending that something was wrong with your tax return, or you need to “sign” something, as in today’s example.

Please stay vigilant, do not click on these links. They may contain malware to infect your computer instantly or they might be designed to steal your credentials.

Your request has been processed successfully and is now ready to be signed

Document online <link>

Please view your document securely using the following confirmation code :
050916

This phish was received by many UVic mailboxes this morning. It seems to come from a UVic address, but there is no such address – it is spoofed by the external sender. They set however an external “reply-to” address. Please do not reply with anything and do not open the attachment. The zip contains a malicious file loaded with trojans.

Hello!

I hope this email finds you well. I am writing this mail to inform you that the item i purchased has been damaged.
if i wish to return it and get a refund, i would like to know the procedure. I tried contacting the phone number, but
none of my calls was answered.

I would appreciate it if you could look into this and get in touch with me as soon as possible.

Attached is the proof of the damaged item.

Thanks.

Peterson Webley..

This phish is circulating today. The sender address is spoofed. It has a domain in Germany and the username can be your own netlinkID.  The display name of the sender pretends to be “UVic HR department”.

Please do not open attachments from unknown senders. They may contain malware,  links to malware loaded web pages or links to fake login pages.

Transcript:

Hi <your netlink>, HR Dept. shared a new file “Uvic 2024/25 Salary Adjustment Letter.pdf” with (yournetlink@uvic.ca) via SharePoint for your urgent attention.   Kindly click the Get Your File button below to access it.   GET YOUR FILE

Report to SharePoint © 2024 SharePoint

 

As the holidays approach, phishing attempts related to parcel updates (such as delays, imminent arrivals, tracking information, and requests for confirmation) become increasingly common.
These messages may contain links to malicious sites or fake login pages. An example of such a message that circulated today is shown below. Please resist the urge to click on these links out of curiosity. Instead, hover your mouse over the link to verify that it does not actually lead to the website of the supposed parcel courier.

Hello dear ,

Your DHL Express shipment with waybill number CS/4792938456 is on its way. We will require a signature at the time of delivery. Shipment is subject to delivery duties taxes and clearance fees.

In order to avoid impact on delivery, please complete shipping info safely online to pay, view the calculation and track your shipment here.

Update and Track parcel<link to the malicious cite>

DHL is attempting to maintain a reliable shipping and delivery service for our customers. Thanks for your patience and understanding and wish to thank you so much for using DHL services.

​

Thank you for using On Demand Delivery.

DHL Express – Excellence. Simply delivered.

We received a report of an interaction with a scammer from an employee who was aware of the scam from the outset. We strongly advise against engaging with scammers, even ‘for fun’. Such interactions can inadvertently reveal valuable information, such as the active status of your email account, your work schedule, and more. We’ve redacted the name used by the scammer in this instance, as they were impersonating a real university professor.
The thread begins with a succinct email body, the subject line merely containing the name of the impersonated professor, typically someone in an executive position such as a department chair, dean, or director.

The employee responded as follows:
At this juncture, many individuals might feel a twinge of guilt for overlooking the initial email. This is precisely the reaction the scammer is banking on, despite the fact that there was no previous email. The scammer swiftly replied, revealing their true intent:
There’s always a reason why they can’t purchase the cards themselves. It could be a technical issue, illness, an ongoing meeting, or any number of pretexts.
The employee responded:
A scammer, realizing their ruse has been seen through, might typically abandon their efforts at this point. However, this scammer persisted, sticking to their script as shown below:
Perhaps they believe persistence pays off statistically? That they might eventually convince a potential victim? Unfortunately, we do occasionally encounter victims who purchase gift cards and send photos of the scratched-off numbers to the scammer. This is another telltale sign. Since the scammer can’t physically collect the cards, they request photos of the ID numbers. It’s a good idea to discuss this scenario with your supervisor and confirm that they would never ask you to purchase gift cards.

Remember: It’s always best to avoid giving scammers any information, no matter how insignificant it may seem.

Malicious actors deployed a bunch of phish against UVic recipients today. The trick they apply is to use some authentic text sent by a UVic person. In some cases that’s a mass-mail sent a year ago to hundreds of recipients, in some cases it is just the out-of office message of somebody. In all cases they add a line of theirs on top of the legit text — “please check the attachment”. The sender address is different. The display name may copy a name from the original email thread. The attachment itself contains a link to the actual malicious content. A screenshots of a few examples are shown below. The pdf attachments are usually having a very short name – one or two characters. (however that doesn’t mean that every attachment with a long and meaningful name is legit). Be vigilant, apply common sense and don’t open attachments from suspicious emails (unknown sender, unsolicited, etc.).

The PDF itself looks like this:

This phish is circulating today. It has no links, instead a well crafted text tries to persuade the victim to send their credentials by clicking “Reply-To”.  The sender address is spoofed so that the email looks like coming from the UVic Helpdesk. However the Reply-To address is different/external. Note that the UVic helpdesk would NEVER ask for your credentials. Neither by email nor by phone.
This is the first indicator that the email is phish.   Other typical tactics that we can see here is – scary tactics. Imply urgency “your account will be deleted”, “act fast” etc.

..

UVic Computer Help Desk will be performing an emergency systems maintenance which includes Updating/Migrating Accounts, MyUVic & Email Symantec Endpoint Protection Communication to a new SPAM filtering service which will improve Barracuda Spam Firewall Email Security Overview and the ability to identify and block Spam / Phishing attempts and other undesirable messages that flood our email system / server on a daily basis.

We have seen a recent uptick in phishing/unauthorized entry on your account login details, and we want to alert you to follow the resources available to protect your account and the school mailing system. Please be informed that UVic Help Desk will delete any UVic NetLink ID, Account, MyUVic & Email Users account that does not adhere to this notice IMMEDIATELY as part of our (Inactive Accounts Email Security Overview) and clean-up process to enable service upgrade efficiency.

We request that you re-confirm your UVic NetLink ID ( Email Account Login Details) as requested below for Migration, Quarantine Exercise and Protection against SPAM by clicking the reply button and replying to this email with your active UVic NetLink ID login details as follows. (This will confirm your University of Victoria Account login/usage Frequency):

Click on the “reply” button and Confirm your UVic NetLink ID credentials;

*      NetLink ID:
*      Password:
*      Email ID:

By re-confirming your active UVic NetLink ID details as listed above, you have abide by the University of Victoria Communications Policy.

NOTE: We will Permanently deactivate and delete your UVic NetLink ID credentials if you do not adhere to this notice immediately as part of our Inactive UVic NetLink ID credentials clean-up process to enable service upgrade efficiency.

Thank you,
<name>
======================

Computer Help Desk
University of Victoria
Clearihue A037.

This phish is circulating today.

The goal, as usual is to steal your UVic credentials by using a fake login page. The sender is external but they may impersonate different internal people.

<name of the compromised external account> shared a document
<name> (******.edu) added you as an editor. Verify your email to securely make edits to this document. You will need to verify your email every 7 days. Learn more [link to Google documentation]

Dr. <UVIc person name> shared a file with you
AI Literacy, Assessment, and Fall 2023 Teaching.docx

Open [link to the fake login page]

Use is subject to the Google Privacy Policy [link to Google documentation].
If you don’t want to receive files from this person, block the sender from Drive[link to Google documentation]

 

Many UVic recipients received this phish in the morning.  It is easy to see that the links point to a site outside UVic (by hovering the mouse cursor on top without clicking).  As usual the goal is to steal your credentials. Please do not be curious and do not click on such links because they may contain malware to infect your computer instantly.

Note that sometimes the sender may look internal (or be indeed internal if a UVic account was compromised). If not sure, whether an email is legit, ask your Desktop support person or the helpdesk.

Dear ,
You are now enrolled in Multi-Factor Authentication . You must complete this training within 24hrs.

The assignments you’ve been enrolled in are displayed below:

– Hacking Multi-Factor Authentication with Roger Grimes[link to the fake login page/

Please use this link to start your training:
https:\\training.knowbe….[link to the fake login page]

It is important that you complete this training within 24hrs. Thank you for helping to keep our organization safe from cyber crime.

Another massive phish today comes from google docs and points to a malicious document. The subject contains the name of the document.

Please do not open the document and do not enter any credentials.
A screenshot of the phish is shown below.

Andrew Shepherd shared a document
Andrew Shepherd (***.edu) added you as an editor. Verify your email to securely make edits to this document. You will need to verify your email every 7 days. Learn more[link to the malicious document]

Vasco Gabriel shared a file with you.

Summer Faculty Bonus.docx

Open[link to the malicious document]

Use is subject to the Google Privacy Policy[link to the google policy].

This phish is circulating since yesterday. It is clearly coming from some external email address. There is no personal greeting, and the whole text is pretty common, it does not even try to imply it was UVic related. The goal of course is to harvest credentials. Please do not be curious and do not click these links because sometimes they may contain malware to infect your computer instantly.

Subject: Account Storage

We have noticed some unusual activity and the warning limit of your storage email account. To ensure the security and increasing your mail storage, please click the button below:

Increase Mail Storage[link to phish]

If you cannot click the button, please click here.
Administrator
Help Desk