Author: Mario Ivanov

We have identified a phishing attempt that pretends to be from UVic HR, using urgency to trick recipients. The email contains a PDF attachment that includes a button leading to a fake login page. The goal is to steal your UVic credentials.

These emails often come from external addresses, but malicious actors can spoof internal addresses too. Do not open the PDF or click any links. They may contain malware to infect your computer instantly.
Our experts are investigating these threats in isolated environments.

Here is a screenshot of the message:

and transcript of the message body:

Important Employee Handbook and Payroll Update
Please be informed that there are critical updates to the Employee Handbook and Payroll process.
It is essential that you review these updates to ensure you are aware of the latest company policies and payroll information.
Regards.
University of victoria HR

With students back on campus, these kinds of scams will continue to target them. Most of the emails with the subject “Students seeking Jobs should check below” were properly identified by the antispam filters and ended up in the junk folders of Exchange mailboxes.

These emails typically contain a short text in the body of the message, while the actual scam is in an attached text file. The body may look like this:

These emails may come from different sender addresses (typically Gmail).

The text file contains a rather long description of the “job and benefits,” which includes typing mistakes and, as usual, sounds too good to be true.

Please do not reply to such scammers (even for fun!). If in doubt, ask the helpdesk or your supervisor.

The transcripts of the body of the email and the attachment are listed below:

University Of Victoria has resources in place to help you succeed in your career and your relationships. work for $(four Hundred weekly and study. If interested, see attached
Regards.

the attachment:

Greetings’..

I am Dr. Alvin Sanders… And I work with Workforce Innovation and Opportunity Act (WIOA) replaces the Workforce Investment Act of 1998 (WIA) by amending the law to strengthen the United States workforce development system through innovation in, and alignment and improvement of, employment, training, and education programs in the United States, and to promote individual and national economic growth, and for other purposes. The law provides the framework for a national workforce preparation and employment system designed to meet both the needs of the nation’s businesses and the needs of job seekers and those who want to further their careers. WIOA reforms current federal laws governing programs of job training, adult education and literacy, vocational rehabilitation, and youth, making services more universally accessible and more flexible components of workforce development systems.

The system offers access to services that encompasses assessments/skills needs, job search, job placement, labor market information, individual employment planning, educational and career counseling, occupational skills training, skill upgrading, internships and work experience, job readiness, adult education, and literacy and High School Equivalency (HSE) programs for adults and out-of-school youth free of charge. And we are running a promotional program at the moment which gives room for more individual to Apply and work with us while we make sure this offers circulated among all who needed to know about us.

I Considered this email reach out to you through the consent of University Office for Students in extension of an offer to work with me as my Virtual Personal Assistant (Dr. Alvin Sanders)

JOBS DESCRIPTION:

This job is really straightforward And is currently available online as WORK-FROM-HOME REMOTELY JOB. As my personal assistant you may be required to provide General personal assistance which may include any of the mentioned below:
*Acting as a liaison between the employer and other parties, including clients, vendors

*Handling and responding to emails

*Running personal errands such as shopping and arranging deliveries.

*Recording expenses, organizing receipts, and preparing expense reports.

*Providing support for personal tasks such as managing bills, organizing personal finances, and researching personal interests.

*And lastly. Any other tasks or projects assigned by the employer to support their professional or personal life. Meanwhile the working hours are flexible and fully remotely, the pay is $399/Weekly and working hours are 1 to 3hrs a day and 3days working hours bi-weekly

BENFITS:
Hybrid work policy with up to two days work from home
College-issued laptop for hybrid work
Adjusted hours for summer months, fall and spring breaks
Offices closed between Christmas and New Year’s
Generous vacation and personal time off
In addition to the benefits(for example health insurance, life insurance, TIAA, tuition-exchange), the college also provides the following perks:
I am presently monitoring other operations around the states so I am unable to meet up for the interview. For every assignment, you will receive payment in advance (AUTOMATIC 1 WEEK UPFRONT, $399). We will talk about the possibilities of turning this into a long-term job when I return if I am pleased with your services during my absence. I’m expected to arrive during the final week of October 2024.

Note: Please make sure that all of the information you submit is correct. If you are under the age of eighteen or do not have access to a real bank account, your application may not be accepted. If your application is approved, you will receive a confirmation email and will also communicate with us via text and email.
Below is the Application process. Thanks

If interested, please apply below, and send your student ID, full name, major, address, best contact
number, and alternate email. Please be aware that Junior and Senior students will be considered with
priority at this time.
To apply, email the requested information to
<redacted>

 

Similar to the ‘grand piano’ scam, other large items, such as welding tools, are also being offered in recent scams. The common thread among all these offers is this: if you express interest in the item, you are asked to pay for the shipping costs. The scammers’ goal is to get you to send them a payment using non-refundable money orders or gift cards. However, after you pay the shipping cost, you will never receive the item you were expecting.

From: Dr. <real name of a UVic person>  <****@gmail.com>
Sent: Tuesday, May 7, 2024 3:59 AM
Subject: Disposal of welding machine and tools boxs

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear Student/Faculty And, One of our staff in University of Victoria , <redacted name> ( Coordinator, Academic Administration) is downsizing and looking to give away her late dad’s Miller 951937 Dynasty 300 TIG Welder w/ TIGRunner Pkg & Wireless Foot Control, With A Complete Set Of Snap On Tools Box And Accessories. If interested in any of the equipment kindly indicate by sending him a mail via your personal email for a swift response. to indicate your interest in any of the listed items contact him on his private email address (****@outlook.com ) to arrange delivery with a moving company.

Sincerely,

Dr. <redacted real name>

MEMBER OF THE BOARD

Practically this is the same scam that we posted about last time. It was received by many UVic recipients last night. The text is the same as before, the sender is some compromised account at another organization and the subject this time is just “WPF”.  Please do not be curious and do not open the attachments in such scams, do not click links and do not reply to scammers (even for fun!!!). By replying you supply back information that your email exist, you are not on vacation, etc.

 

—

I am sharing job opportunity information to anyone who might be interested in a paid World food programme Part-Time job with a weekly pay of $750.00. If interested, kindly contact Mattias on his email address (***@outlook.com) for details of employment.

N.B, this job is strictly a work from home position.

This phish is circulating today. It applies the usual tactics of scammers to scare the potential victims that something is wrong and should should act fast.  The sender is external, the link points to an external site designed to look like a UVic login page with the goal to steal your UVic credentials. Please do not be curious and do not click the links because sometimes they may contain malware to infect your computer instantly.

Here is a screenshot and transcription of the phish:

Your University of Victoria account has been filed under the list of accounts set for deactivation due to retirement/graduation/or transfer of the concerned account holder. But the record shows you are still active in service and so advised to confirm this request otherwise give us reason to deactivate your account.

Please Verify your UVIC account immediately to avoid Deactivation Click

UVIC<link to external site>

Please note this one-time submission and entry only..

Warm Regards,
Office of the Registrar

The tax return season has started, and scammers have begun exploiting this period again. Typically, they try to persuade you to click on a link by pretending that something was wrong with your tax return, or you need to “sign” something, as in today’s example.

Please stay vigilant, do not click on these links. They may contain malware to infect your computer instantly or they might be designed to steal your credentials.

Your request has been processed successfully and is now ready to be signed

Document online <link>

Please view your document securely using the following confirmation code :
050916

This phish was received by many UVic mailboxes this morning. It seems to come from a UVic address, but there is no such address – it is spoofed by the external sender. They set however an external “reply-to” address. Please do not reply with anything and do not open the attachment. The zip contains a malicious file loaded with trojans.

Hello!

I hope this email finds you well. I am writing this mail to inform you that the item i purchased has been damaged.
if i wish to return it and get a refund, i would like to know the procedure. I tried contacting the phone number, but
none of my calls was answered.

I would appreciate it if you could look into this and get in touch with me as soon as possible.

Attached is the proof of the damaged item.

Thanks.

Peterson Webley..

This phish is circulating today. The sender address is spoofed. It has a domain in Germany and the username can be your own netlinkID.  The display name of the sender pretends to be “UVic HR department”.

Please do not open attachments from unknown senders. They may contain malware,  links to malware loaded web pages or links to fake login pages.

Transcript:

Hi <your netlink>, HR Dept. shared a new file “Uvic 2024/25 Salary Adjustment Letter.pdf” with (yournetlink@uvic.ca) via SharePoint for your urgent attention.   Kindly click the Get Your File button below to access it.   GET YOUR FILE

Report to SharePoint © 2024 SharePoint

 

As the holidays approach, phishing attempts related to parcel updates (such as delays, imminent arrivals, tracking information, and requests for confirmation) become increasingly common.
These messages may contain links to malicious sites or fake login pages. An example of such a message that circulated today is shown below. Please resist the urge to click on these links out of curiosity. Instead, hover your mouse over the link to verify that it does not actually lead to the website of the supposed parcel courier.

Hello dear ,

Your DHL Express shipment with waybill number CS/4792938456 is on its way. We will require a signature at the time of delivery. Shipment is subject to delivery duties taxes and clearance fees.

In order to avoid impact on delivery, please complete shipping info safely online to pay, view the calculation and track your shipment here.

Update and Track parcel<link to the malicious cite>

DHL is attempting to maintain a reliable shipping and delivery service for our customers. Thanks for your patience and understanding and wish to thank you so much for using DHL services.

​

Thank you for using On Demand Delivery.

DHL Express – Excellence. Simply delivered.

We received a report of an interaction with a scammer from an employee who was aware of the scam from the outset. We strongly advise against engaging with scammers, even ‘for fun’. Such interactions can inadvertently reveal valuable information, such as the active status of your email account, your work schedule, and more. We’ve redacted the name used by the scammer in this instance, as they were impersonating a real university professor.
The thread begins with a succinct email body, the subject line merely containing the name of the impersonated professor, typically someone in an executive position such as a department chair, dean, or director.

The employee responded as follows:
At this juncture, many individuals might feel a twinge of guilt for overlooking the initial email. This is precisely the reaction the scammer is banking on, despite the fact that there was no previous email. The scammer swiftly replied, revealing their true intent:
There’s always a reason why they can’t purchase the cards themselves. It could be a technical issue, illness, an ongoing meeting, or any number of pretexts.
The employee responded:
A scammer, realizing their ruse has been seen through, might typically abandon their efforts at this point. However, this scammer persisted, sticking to their script as shown below:
Perhaps they believe persistence pays off statistically? That they might eventually convince a potential victim? Unfortunately, we do occasionally encounter victims who purchase gift cards and send photos of the scratched-off numbers to the scammer. This is another telltale sign. Since the scammer can’t physically collect the cards, they request photos of the ID numbers. It’s a good idea to discuss this scenario with your supervisor and confirm that they would never ask you to purchase gift cards.

Remember: It’s always best to avoid giving scammers any information, no matter how insignificant it may seem.

Malicious actors deployed a bunch of phish against UVic recipients today. The trick they apply is to use some authentic text sent by a UVic person. In some cases that’s a mass-mail sent a year ago to hundreds of recipients, in some cases it is just the out-of office message of somebody. In all cases they add a line of theirs on top of the legit text — “please check the attachment”. The sender address is different. The display name may copy a name from the original email thread. The attachment itself contains a link to the actual malicious content. A screenshots of a few examples are shown below. The pdf attachments are usually having a very short name – one or two characters. (however that doesn’t mean that every attachment with a long and meaningful name is legit). Be vigilant, apply common sense and don’t open attachments from suspicious emails (unknown sender, unsolicited, etc.).

The PDF itself looks like this:

This phish is circulating today. It has no links, instead a well crafted text tries to persuade the victim to send their credentials by clicking “Reply-To”.  The sender address is spoofed so that the email looks like coming from the UVic Helpdesk. However the Reply-To address is different/external. Note that the UVic helpdesk would NEVER ask for your credentials. Neither by email nor by phone.
This is the first indicator that the email is phish.   Other typical tactics that we can see here is – scary tactics. Imply urgency “your account will be deleted”, “act fast” etc.

..

UVic Computer Help Desk will be performing an emergency systems maintenance which includes Updating/Migrating Accounts, MyUVic & Email Symantec Endpoint Protection Communication to a new SPAM filtering service which will improve Barracuda Spam Firewall Email Security Overview and the ability to identify and block Spam / Phishing attempts and other undesirable messages that flood our email system / server on a daily basis.

We have seen a recent uptick in phishing/unauthorized entry on your account login details, and we want to alert you to follow the resources available to protect your account and the school mailing system. Please be informed that UVic Help Desk will delete any UVic NetLink ID, Account, MyUVic & Email Users account that does not adhere to this notice IMMEDIATELY as part of our (Inactive Accounts Email Security Overview) and clean-up process to enable service upgrade efficiency.

We request that you re-confirm your UVic NetLink ID ( Email Account Login Details) as requested below for Migration, Quarantine Exercise and Protection against SPAM by clicking the reply button and replying to this email with your active UVic NetLink ID login details as follows. (This will confirm your University of Victoria Account login/usage Frequency):

Click on the “reply” button and Confirm your UVic NetLink ID credentials;

*      NetLink ID:
*      Password:
*      Email ID:

By re-confirming your active UVic NetLink ID details as listed above, you have abide by the University of Victoria Communications Policy.

NOTE: We will Permanently deactivate and delete your UVic NetLink ID credentials if you do not adhere to this notice immediately as part of our Inactive UVic NetLink ID credentials clean-up process to enable service upgrade efficiency.

Thank you,
<name>
======================

Computer Help Desk
University of Victoria
Clearihue A037.

This phish is circulating today.

The goal, as usual is to steal your UVic credentials by using a fake login page. The sender is external but they may impersonate different internal people.

<name of the compromised external account> shared a document
<name> (******.edu) added you as an editor. Verify your email to securely make edits to this document. You will need to verify your email every 7 days. Learn more [link to Google documentation]

Dr. <UVIc person name> shared a file with you
AI Literacy, Assessment, and Fall 2023 Teaching.docx

Open [link to the fake login page]

Use is subject to the Google Privacy Policy [link to Google documentation].
If you don’t want to receive files from this person, block the sender from Drive[link to Google documentation]

 

Many UVic recipients received this phish in the morning.  It is easy to see that the links point to a site outside UVic (by hovering the mouse cursor on top without clicking).  As usual the goal is to steal your credentials. Please do not be curious and do not click on such links because they may contain malware to infect your computer instantly.

Note that sometimes the sender may look internal (or be indeed internal if a UVic account was compromised). If not sure, whether an email is legit, ask your Desktop support person or the helpdesk.

Dear ,
You are now enrolled in Multi-Factor Authentication . You must complete this training within 24hrs.

The assignments you’ve been enrolled in are displayed below:

– Hacking Multi-Factor Authentication with Roger Grimes[link to the fake login page/

Please use this link to start your training:
https:\\training.knowbe….[link to the fake login page]

It is important that you complete this training within 24hrs. Thank you for helping to keep our organization safe from cyber crime.