This phish started circulating yesterday evening and continues today. The attachment is a malicious html file which is supposedly an invoice. The sender can be different. We saw senders from outlook.com, some from hotmail.com Please do not open these attachments.
Author: Mario Ivanov
Automatic renewal of your Microsoft 365 subscription is scheduled
A phish with this or similar subject line started circulating around in the weekend.
Note the long domain name of the sender which is neither microsoft.com nor uvic.ca. Malicious actors register domain names for their phishing campaigns. This one in particular is made to look legit by starting with “automaticscheduled..” As usual the goal is to steal credentials. (it leads to a fake login page).
Other suspicious indicators are: You never paid for M365, so why pay for renewal? Why in USD? The actual domain of the link is neither microsoft.com, nor uvic.ca. You can see it by hovering on it with the mouse cursor.
Please do not be curious and do not click such links – sometimes they can contain malware to infect your computer instantly.
New mail from Canada Revenue Agency
We have observed a large wave of Canada Revenue Agency themed phishing emails sent from a wide variety of addresses (most coming from compromised accounts in Japan. The emails are well-written and contain a link to an Amazon site, which redirects to a phishing domain hosting a convincing CRA look-a-like website.
The subject lines can vary a little.
Please do not be curious and do not open these links as sometimes they may contain malware to infect your computer instantly.
Update
This phish started circulating today in the afternoon. It clearly comes from some external account. As usual, the goal is to steal your UVic credentials. A screenshot of the phish is shown below:
Please do not be curious and do not click these links because sometimes they may contain malware to infect your machine instantly. Our experts investigate them in dedicated isolated environments.
RE: Audit report
This phish circulating today is coming from a Japanese server but the sender is spoofed to look as if internal. They used some sort of random numbers generator for the spoofed addresses (the number in the sender’s address is different, although they all start with “secured_file” and end up with @uvic.ca.
In some cases the subject is “RE: Audit report”, in other cases it is “Audit_report_Nov.2022”
The “get your file” button and the “Privacy statement” link at the bottom – both lead to the same location – some server in Brazil – fortunately already flagged as dangerous site in Google safe browsing.
Please do not be curious and do not click these links because sometimes they may contain malware to infect your machine instantly. Our experts investigate them in dedicated isolated environments.
Action Required!
This phish is circulating today. The text doesn’t make any sense. Unlike the malicious actors the UVic Systems can determine if your account is in use without asking you to confirm. The sender is some gmail account.
The goal as usual is to steal your UVic credentials.
As always – please do not click out of curiosity, just to see the fake login page.
Sometimes these pages may contain malware to infect your computer instantly.
Our experts open them in isolated environments. The second screenshot shows the fake login page.
Email Password Expired.
This phish is circulating today. It is virtually the same as our previous posting just a different sender. The sender is clearly external. The idea of keeping the same password doesn’t make sense. It is always better to change your password periodically with some new long phrase that you never used before. Our tips to choose a new password are published here:
https://www.uvic.ca/systems/support/loginspasswords/password/passwordtips.php
Here is a screenshot of the phish:
The goal is the same as usual – to steal your UVic credentials. For this purpose they created a fake UVic page – an exact copy of the real one. Please do not be curious and do not click these links, as sometimes they may contain malware to infect your computer instantly. Our experts open those in dedicated isolated environment.
Email Password Expired.
This phish started arriving in the early hours today. The sender display name is formed by attaching _mail.com to the recipient netlinkID. Perhaps the malicious actor thought this would make it look more legitimate?! The actual sender’s address is external. Then they use the netlink and the email address of the recipient in the body of the message to make it more convincing.
The goal is the same as usual – to steal your UVic credentials. For this purpose they created a fake UVic page – an exact copy of the real one. Please do not be curious and do not click these links, as sometimes they may contain malware to infect your computer instantly. Our experts open those in dedicated isolated environment.
Personal Assistant/Errands
This scam is circulating today. The sender is some external compromised account (but could be any).
Whether a scam that would eventually try to extract money or a phish that aims to steal your credentials, our advice remains the same – never answer by email and never open the links – they may contain malware to infect your computer instantly. Our experts open these in dedicated isolated environments.
FW:
This phish is circulating today afternoon. The sender is some compromised account in some other university. The link only appears as a legitimate Microsoft site but in fact points to a login page designed to harvest credentials.
As always – please do not be curious and do not open these links – they may contain malware to infect your machine instantly.
Update
This simplistic but massive phish circulates today. The sender set a display name “UVic” but the address is clearly external. Same old tactics – you have to act quick to prevent something bad from happening. The link leads to an external page (shown below) made to look like belonging to UVic.
The purpose is all the same – to steal your credentials.
Please don’t be curious and don’t open these links. Sometimes they may contain malware to infect your computer instantly. Our experts open them in a dedicated isolated environment.
Notification
This otherwise simple phish was massively sent to UVic users yesterday, Sep 5th and there could be more coming today. The usual tactics is used – to create a sense of urgency as if your account is going to be terminated. The sender could be external or could be a spoofed internal one but the link is pointing to an external web provider.
Note that sometimes malicious actors register domains or use subdomains of existing providers by introducing the string “uvic” in order to imply legitimacy.
Our top domain is uvic.ca, whereas in cases like www.uvic.a1.biz the top domain is a1.biz which has nothing to do with UVic.
Please don’t be curious and do not click on these links. Usually their goal is to steal your credentials, but sometimes they may contain malware to infect your computer instantly. Our experts open them in dedicated isolated environments.
IMPORTANT NOTICE
How many “important notices” did we have so far? Hopefully UVic users can identify this phish easily. Below is a screenshot of the message. The sender is some compromised account in another university. The usual urgency tactic (otherwise your account is going to be deleted). To make it more authentic, they even mention phish!
If a scammer mentions “scam” that doesn’t make them legit, does it?
Again – do not be curious, do not click on these links. They might contain malicious software to infect your computer instantly.
ADMINISTRATIVE INSTRUCTION
This phish looks quite convincing. The sender is external and the body of the message is a bit vague in order to provoke the reader’s curiosity to open the pdf file.
——————————————————————————
The pdf itself contains the following text. It promises $400 for 3 hours of work (too good to be true especially when sent to an unknown recipient)
At the end they ask you to provide personal information.
————————————————————————————
NEW FAX MESSAGE
This phish has variations, but the common thing is to click to get a document, a voicemail, etc. The one circulating today pretends you received a fax (somewhere?!) and it is one click away. What happens actually when you click is that a browser window opens and a .jar file downloads automatically. Jar files are Java programs, and this one is a malicious one. Once downloaded, there is a chance you click on it, the program executes and your computer gets infected.
Please report such phish, do not be curious and do not click on the buttons.