Author: Mario Ivanov

Many UVic addresses received this phish today.
The sender is clearly external, the body does not make too much sense and contains mistakes. The link points to a fake login page that will be turned down soon. (Please do not be curious and do not click on these links, because they may contain malware to infect your computer instantaneously).

Subject: RE: Technical service – Mailbox authentication Updates

All Employee, Student And Staff

We are currently running an upgrade on all active OWA Outlook accounts, in order to complete the upgrade automatically, you must initiate the upgrade manually by visiting the OUTLOOK WEB PORTAL[link to the fake login page]. The upgrade will take effect 4 Working Day

Any Outlook accounts that have not been upgraded during this time will be classified as inactive, which may result in account deactivation/closure.

 

This phish is in circulation. There is nothing in the body of the message besides a little image at the bottom which appeals to consider the environment before printing this email. The subject suggests some UVic related business without specifying what. The attachment is a malicious .htm file. Please do not open it.
The sender we see so far is some compromised email address in Germany, but there could be other ones too. In any case – be very cautious with htm attachments – do you know the sender, do you expect a message like that, etc.

This is another popular phish today. The subject may vary – “Vacancy”, “Job Vacancy” etc, and the sender can be another UVic address or the recipient’s address.  This is a typical job scam. What they rely is the “Reply-to” address,
that’s the address were your reply goes and in this case it is an address in gmail.

Please do not reply and do not open the attachment.
Do not engage with the scammer via email or SMS and do not forward these emails around. If you responded to the scam, contact the Computer Help Desk immediately for assistance, especially if you sent personal information or money.

 

Transcript:

Sender: some @uvic.ca address
Subject: Job Vacancy
Attachment: (1) Work From Home.docx

I am sharing a job vacancy with students, staff and individuals who might be interested in UNICEF paid job of 500 per week. See attachment for details.

Kind regards

—-end of the transcript—

This phish is circulating today. The sender shown on the screenshot is clearly external but there could be internal spoofed senders. The goal, as usual, is to apply scary tactics so that the victim acts quick, clicks the fake login link and enters their UVic credentials.

Transcript of the message:
Sender: <some external address in .vn>
Subject: ATTENTION

Your Email account has exceeded the storage limit set by the administrator due to hidden files, Kindly click UPDATE to validate your account.

Copyright (C) 2023 Web Admin

—end of the transcript—

Many UVic recipients reported this phish today.

It clearly comes from an external address, uses the usual scary tactics to make you act fast and as usual leads to a fake login page designed to steal your UVic credentials.
Please do not be curious and do not click on such links as they may contain malware to infect your computer instantly.

Many uvic recipients reported this phish today. In all cases it uses the recipient address to spoof the actual sender. This way the email looks like coming from the recipient themselves. The “ticket number” in the subject is using some sort of random number generator, so it is also different every time.
There are other variations of the subject, for example:

Your E-mail (netlink@uvic.ca) will expire soon -[Ticket ID: xxxxxx]

Your E-mail (netlink@uvic.ca) Requires Verification -[Ticket ID: xxxxxx]

In all cases there is a malicious .shtml file attached.
The name of that file is:  uvic.ca-update-form.shtml
(but could be different of course)

Please do not open these attachments, they contain malware.

A screenshot of the phish is shown below:

This is another very “popular” phish today.

It made effort to sound legit, it contains helpdesk@uvic.ca at the bottom and the sender may appear as an internal one to add to the sense of legitimacy.

Similarly to the job scam we posted about below, this phish uses the trick to put the whole message in a bitmap. It only looks like text with a link, but the whole body is a single picture. That picture is linked to the malicious website. This way
the victim may click somewhere on what looks like text, thinking it was safe. That would immediately trigger their web browser to open the malicious web page.
Please be careful with clicks and don’t be curious. If in doubt – ask your desktop support person or the Helpdesk.

This job scam is circulating today. It contains an attachment and tries to persuade victims to reply  back to some external address. The actual sender could be different. The body of the email message is not text but actually a bitmap picture. (the body is shown below).

The pdf also contains the email address of the scammer.

Many UVic people received this phish today. It uses the usual “scary” tactic to make you act quick and eventually provide malicious actors with your UVic credentials. The link points to a fake login page.

Please don’t be curious and don’t click on links in phishing emails since some of them may contain malware to infect your computer instantaneously.

If in doubt, ask your desktop support person or the Helpdesk.

A screenshot of the phish message is shown below.

 

Recently UVic students and employees receive a lot of phish containing html attachments. The attachments might be very small or larger, may contain malware directly or redirect to malicious sites, including but not limited to fake UVic login pages.

There are numerous variations of the text in the email.  In many cases it is short as in the example below.

Please do not be curious and do not open html attachments from untrusted senders. If in doubt – ask the helpdesk or your desktop support person or give the sender a phone call and ask whether they sent you the suspicious attachment.

Another phish that is crafted to steal your UVic credentials.

The sender is clearly external and the link is clearly external – you can see it by hovering over it with the mouse cursor.

Remember, if in doubt – never click the links in the email. Instead open the main web page of the organization – whether UVic or your bank, CRA, etc  and find your way to the desired setting from there.

Please do not be curious and do not click on the links in phish emails, sometimes they may contain malware to infect your computer instantly. Our experts open them in specialized isolated environment.

Another phish that claims to help you keep your current password. This does not make sense. The UVic Helpdesk would never send you an email it order to keep a password unchanged.

The sender is clearly external and the link is clearly external – you can see it by hovering over it with the mouse cursor. The goal of course is to steal your credentials.
Please do not be curious and do not click on these links, sometimes they may contain malware to infect your computer instantly. Our experts open them in specialized isolated environment.

A screenshot of another phish that is circulating today is shown below. It tries to persuade you to click on a link to prevent your password from expiring.  The recipient email is quoted in the subject and then also in the email body.

Remember: Whenever  you receive a suspicious email that sounds plausible, never click any link that’s inside that email and do not call phone numbers listed in the email. Instead find the proper links or phone numbers by other means.

This phish is far from plausible. Currently UVic passwords do not expire. The sender is clearly external and the link is clearly external – you can see it by hovering over it with the mouse cursor. It leads to a fake UVic page – a perfect copy of the real home page of UVic. The goal of course is to steal your credentials.
Please do not be curious and do not click on these links, sometimes they may contain malware to infect your computer instantly.  Our experts open them in specialized isolated environment.

This phish started circulating yesterday evening and continues today. The attachment is a malicious html file which is supposedly an invoice. The sender can be different. We saw senders from outlook.com, some from hotmail.com Please do not open these attachments.

A phish with this or similar subject line started circulating around in the weekend.

Note the long domain name of the sender which is neither microsoft.com nor uvic.ca. Malicious actors register domain names for their phishing campaigns. This one in particular is made to look legit by starting with “automaticscheduled..” As usual the goal is to steal credentials. (it leads to a fake login page).
Other suspicious indicators are: You never paid for M365, so why pay for renewal?  Why in USD?  The actual domain of the link is neither microsoft.com, nor uvic.ca. You can see it by hovering on it with the mouse cursor.
Please do not be curious and do not click such links – sometimes they can contain malware to infect your computer instantly.