Author: Mario Ivanov

We received a report of an interaction with a scammer from an employee who was aware of the scam from the outset. We strongly advise against engaging with scammers, even ‘for fun’. Such interactions can inadvertently reveal valuable information, such as the active status of your email account, your work schedule, and more. We’ve redacted the name used by the scammer in this instance, as they were impersonating a real university professor.
The thread begins with a succinct email body, the subject line merely containing the name of the impersonated professor, typically someone in an executive position such as a department chair, dean, or director.

The employee responded as follows:
At this juncture, many individuals might feel a twinge of guilt for overlooking the initial email. This is precisely the reaction the scammer is banking on, despite the fact that there was no previous email. The scammer swiftly replied, revealing their true intent:
There’s always a reason why they can’t purchase the cards themselves. It could be a technical issue, illness, an ongoing meeting, or any number of pretexts.
The employee responded:
A scammer, realizing their ruse has been seen through, might typically abandon their efforts at this point. However, this scammer persisted, sticking to their script as shown below:
Perhaps they believe persistence pays off statistically? That they might eventually convince a potential victim? Unfortunately, we do occasionally encounter victims who purchase gift cards and send photos of the scratched-off numbers to the scammer. This is another telltale sign. Since the scammer can’t physically collect the cards, they request photos of the ID numbers. It’s a good idea to discuss this scenario with your supervisor and confirm that they would never ask you to purchase gift cards.

Remember: It’s always best to avoid giving scammers any information, no matter how insignificant it may seem.

Malicious actors deployed a bunch of phish against UVic recipients today. The trick they apply is to use some authentic text sent by a UVic person. In some cases that’s a mass-mail sent a year ago to hundreds of recipients, in some cases it is just the out-of office message of somebody. In all cases they add a line of theirs on top of the legit text — “please check the attachment”. The sender address is different. The display name may copy a name from the original email thread. The attachment itself contains a link to the actual malicious content. A screenshots of a few examples are shown below. The pdf attachments are usually having a very short name – one or two characters. (however that doesn’t mean that every attachment with a long and meaningful name is legit). Be vigilant, apply common sense and don’t open attachments from suspicious emails (unknown sender, unsolicited, etc.).

 

---

---

---

 

The PDF itself looks like this:

This phish is circulating today. It has no links, instead a well crafted text tries to persuade the victim to send their credentials by clicking “Reply-To”.  The sender address is spoofed so that the email looks like coming from the UVic Helpdesk. However the Reply-To address is different/external. Note that the UVic helpdesk would NEVER ask for your credentials. Neither by email nor by phone.
This is the first indicator that the email is phish.   Other typical tactics that we can see here is – scary tactics. Imply urgency “your account will be deleted”, “act fast” etc.

..

UVic Computer Help Desk will be performing an emergency systems maintenance which includes Updating/Migrating Accounts, MyUVic & Email Symantec Endpoint Protection Communication to a new SPAM filtering service which will improve Barracuda Spam Firewall Email Security Overview and the ability to identify and block Spam / Phishing attempts and other undesirable messages that flood our email system / server on a daily basis.

We have seen a recent uptick in phishing/unauthorized entry on your account login details, and we want to alert you to follow the resources available to protect your account and the school mailing system. Please be informed that UVic Help Desk will delete any UVic NetLink ID, Account, MyUVic & Email Users account that does not adhere to this notice IMMEDIATELY as part of our (Inactive Accounts Email Security Overview) and clean-up process to enable service upgrade efficiency.

We request that you re-confirm your UVic NetLink ID ( Email Account Login Details) as requested below for Migration, Quarantine Exercise and Protection against SPAM by clicking the reply button and replying to this email with your active UVic NetLink ID login details as follows. (This will confirm your University of Victoria Account login/usage Frequency):

Click on the “reply” button and Confirm your UVic NetLink ID credentials;

*      NetLink ID:
*      Password:
*      Email ID:

By re-confirming your active UVic NetLink ID details as listed above, you have abide by the University of Victoria Communications Policy.

NOTE: We will Permanently deactivate and delete your UVic NetLink ID credentials if you do not adhere to this notice immediately as part of our Inactive UVic NetLink ID credentials clean-up process to enable service upgrade efficiency.

Thank you,
<name>
======================

Computer Help Desk
University of Victoria
Clearihue A037.

This phish is circulating today.

The goal, as usual is to steal your UVic credentials by using a fake login page. The sender is external but they may impersonate different internal people.

 

<name of the compromised external account> shared a document
<name> (******.edu) added you as an editor. Verify your email to securely make edits to this document. You will need to verify your email every 7 days. Learn more [link to Google documentation]

Dr. <UVIc person name> shared a file with you
AI Literacy, Assessment, and Fall 2023 Teaching.docx

Open [link to the fake login page]

Use is subject to the Google Privacy Policy [link to Google documentation].
If you don’t want to receive files from this person, block the sender from Drive[link to Google documentation]

 

 

Many UVic recipients received this phish in the morning.  It is easy to see that the links point to a site outside UVic (by hovering the mouse cursor on top without clicking).  As usual the goal is to steal your credentials. Please do not be curious and do not click on such links because they may contain malware to infect your computer instantly.

Note that sometimes the sender may look internal (or be indeed internal if a UVic account was compromised). If not sure, whether an email is legit, ask your Desktop support person or the helpdesk.

Dear ,
You are now enrolled in Multi-Factor Authentication . You must complete this training within 24hrs.

The assignments you’ve been enrolled in are displayed below:

– Hacking Multi-Factor Authentication with Roger Grimes[link to the fake login page/

Please use this link to start your training:
https:\\training.knowbe….[link to the fake login page]

It is important that you complete this training within 24hrs. Thank you for helping to keep our organization safe from cyber crime.

 

Another massive phish today comes from google docs and points to a malicious document. The subject contains the name of the document.

Please do not open the document and do not enter any credentials.
A screenshot of the phish is shown below.

 

 

Andrew Shepherd shared a document
Andrew Shepherd (***.edu) added you as an editor. Verify your email to securely make edits to this document. You will need to verify your email every 7 days. Learn more[link to the malicious document]

Vasco Gabriel shared a file with you.

Summer Faculty Bonus.docx

Open[link to the malicious document]

Use is subject to the Google Privacy Policy[link to the google policy].

This phish is circulating since yesterday. It is clearly coming from some external email address. There is no personal greeting, and the whole text is pretty common, it does not even try to imply it was UVic related. The goal of course is to harvest credentials. Please do not be curious and do not click these links because sometimes they may contain malware to infect your computer instantly.

Subject: Account Storage

We have noticed some unusual activity and the warning limit of your storage email account. To ensure the security and increasing your mail storage, please click the button below:

Increase Mail Storage[link to phish]

If you cannot click the button, please click here.
Administrator
Help Desk

Many UVic addresses received this phish today.
The sender is clearly external, the body does not make too much sense and contains mistakes. The link points to a fake login page that will be turned down soon. (Please do not be curious and do not click on these links, because they may contain malware to infect your computer instantaneously).

Subject: RE: Technical service – Mailbox authentication Updates

All Employee, Student And Staff

We are currently running an upgrade on all active OWA Outlook accounts, in order to complete the upgrade automatically, you must initiate the upgrade manually by visiting the OUTLOOK WEB PORTAL[link to the fake login page]. The upgrade will take effect 4 Working Day

Any Outlook accounts that have not been upgraded during this time will be classified as inactive, which may result in account deactivation/closure.

 

This phish is in circulation. There is nothing in the body of the message besides a little image at the bottom which appeals to consider the environment before printing this email. The subject suggests some UVic related business without specifying what. The attachment is a malicious .htm file. Please do not open it.
The sender we see so far is some compromised email address in Germany, but there could be other ones too. In any case – be very cautious with htm attachments – do you know the sender, do you expect a message like that, etc.

This is another popular phish today. The subject may vary – “Vacancy”, “Job Vacancy” etc, and the sender can be another UVic address or the recipient’s address.  This is a typical job scam. What they rely is the “Reply-to” address,
that’s the address were your reply goes and in this case it is an address in gmail.

Please do not reply and do not open the attachment.
Do not engage with the scammer via email or SMS and do not forward these emails around. If you responded to the scam, contact the Computer Help Desk immediately for assistance, especially if you sent personal information or money.

 

Transcript:

Sender: some @uvic.ca address
Subject: Job Vacancy
Attachment: (1) Work From Home.docx

I am sharing a job vacancy with students, staff and individuals who might be interested in UNICEF paid job of 500 per week. See attachment for details.

Kind regards

—-end of the transcript—

This phish is circulating today. The sender shown on the screenshot is clearly external but there could be internal spoofed senders. The goal, as usual, is to apply scary tactics so that the victim acts quick, clicks the fake login link and enters their UVic credentials.

Transcript of the message:
Sender: <some external address in .vn>
Subject: ATTENTION

Your Email account has exceeded the storage limit set by the administrator due to hidden files, Kindly click UPDATE to validate your account.

Copyright (C) 2023 Web Admin

—end of the transcript—

Many UVic recipients reported this phish today.

It clearly comes from an external address, uses the usual scary tactics to make you act fast and as usual leads to a fake login page designed to steal your UVic credentials.
Please do not be curious and do not click on such links as they may contain malware to infect your computer instantly.

Many uvic recipients reported this phish today. In all cases it uses the recipient address to spoof the actual sender. This way the email looks like coming from the recipient themselves. The “ticket number” in the subject is using some sort of random number generator, so it is also different every time.
There are other variations of the subject, for example:

Your E-mail (netlink@uvic.ca) will expire soon -[Ticket ID: xxxxxx]

Your E-mail (netlink@uvic.ca) Requires Verification -[Ticket ID: xxxxxx]

In all cases there is a malicious .shtml file attached.
The name of that file is:  uvic.ca-update-form.shtml
(but could be different of course)

Please do not open these attachments, they contain malware.

A screenshot of the phish is shown below:

This is another very “popular” phish today.

It made effort to sound legit, it contains helpdesk@uvic.ca at the bottom and the sender may appear as an internal one to add to the sense of legitimacy.

Similarly to the job scam we posted about below, this phish uses the trick to put the whole message in a bitmap. It only looks like text with a link, but the whole body is a single picture. That picture is linked to the malicious website. This way
the victim may click somewhere on what looks like text, thinking it was safe. That would immediately trigger their web browser to open the malicious web page.
Please be careful with clicks and don’t be curious. If in doubt – ask your desktop support person or the Helpdesk.

This job scam is circulating today. It contains an attachment and tries to persuade victims to reply  back to some external address. The actual sender could be different. The body of the email message is not text but actually a bitmap picture. (the body is shown below).

The pdf also contains the email address of the scammer.