Notification (IT Service Desk)

Many UVic mailboxes received this phish in the morning. It is a copy of what we had earlier this month.

Again, it comes from a gmail sender and overall the short text does not make much sense – to validate (what?) because there were unauthorized login attempts?!?

Their fake page contains UVic symbols though. Please do not be curious and do not open such links as they may contain malware to infect your computer instantly (Mac users – that applies to you too!)

 

Re:Update!

Another massive phish is circulating this afternoon.
It has “Re:”  in the subject to imply you already had a thread with this sender.
It has an exclamation mark as a typical trick of phish senders is to suggest some level of emergency.

It comes from a gmail sender and overall the short text does not make much sense – to validate (what?) because there were unauthorized login attempts?!?

Their fake page contains UVic symbols though. Please do not be curious and do not open such links as they may contain malware to infect your computer instantly (Mac users – that applies to you too!)


The fake logon page is shown below:

Deactivation

This phish is in circulation today. The same old story – click to prevent deactivation of your account.  See below. The sender is external.  Please don’t be curious and do not click these links. They are designed to steal credentials but they may contain malware to infect your computer instantly. Our experts open them on dedicated isolated machines.

This is how the phish looks like:

And this is a screenshot of the fake page:

 

Action required

Another try to persuade you to act quick, this phish comes with a subject “Action required”. It may or may not use a forged UVic address as a sender (see the screenshot). To be more convincing the body of the message contains the email address of the recipient.
As usual – do not be curious, do not open these links that point to fake UVic login pages designed to steal your credentials.

Payment confirmation

An email with a subject “payment confirmation” is circulating today. To avoid detection the malicious actors made a huge executable file (containing the malicious code) then put that executable file into a .iso file and then zipped that .iso.
The zip file is about 2Mb in size and attached in the email.
Please do not open these attachments!  If in doubt, first ask your Desktop support person or the Helpdesk.

In the screenshot below it is shown the sender is an external one. As is usual for such campaigns they used many different sender addresses.

ICT System Administrator

This phish is circulating since the early morning today. See a screenshot below.
As usual you are expected to act fast. Your password expires in 3 hours, and if you don’t act  your account will be deleted in 4 hours?!?  Isn’t that ridiculous?
The sender pretends to be a “System administrator connected to Microsoft Exchange”. They are clearly using some external address somewhere in Germany. They put themselves as a recipient and all other recipients received bcc: copies.

 

——end of the first screenshot ——

The link is external of course, and points to a fake login page that’s created to steal your credentials.

Please never click on suspicious links, don’t be curious. Sometimes these pages may contain malware to infect your machine instantly. Our experts open these in a dedicated isolated environment.
This particular fake page looks like shown below:

“your email” failed vulnerability check

This phish is circulating around today.  See a screenshot below.
Of course something must be wrong and of course you have to act fast. The sender pretends to be a “uvic webmail support” but clearly is using some external address. Note how the malicious actor deliberately put space in some words in the message body in order to evade automatic detection of phish, e.g. in the words “vulnerability”, “click”, “below”, “validate”

The link is external of course, and points to a fake roundcube mail page that’s created to steal your credentials.

Please never click on suspicious links, don’t be curious. Sometimes these pages may contain malware to infect your machine instantly. Our experts open these in a dedicated isolated environment.

Password notification May 02

Same old tactics – scary the user there is something wrong to deal with fast, navigate to a fake page, steal your UVic credentials.

A screenshot of the phish message is shown below.  The link in fact points to an external site (that can be seen when hovering with the cursor above the link, without clicking).

 

A screenshot of the fake page is shown below

Please never click on suspicious links, don’t be curious. Sometimes these pages may contain malware to infect your machine instantly. Our experts open these in a dedicated isolated environment.

Email Storage is 95% full

This phish is circulating today.

Same old tactics – scary the user there is something wrong to deal with fast, navigate to a fake page, steal your UVic credentials.

A screenshot of the phish message is shown below. The email of the recipient is included in the message. The links pretend to be internal but in fact point to an external site (that can be seen when hovering with the cursor above the link, without clicking).

 

 

This is how the fake page looks like:

 

RE: ICT System Administrator!

This phish is circulating today. Nothing really innovative – if you don’t update your password , allegedly your account will be deleted withing 5 hours. Same old scary tactics – act fast, think less.
As usual a fake UVic-like page is designed with the single purpose to steal our credentials. In fact this time it is not quite UVic-like (shown at the bottom)
Please never click on suspicious links, don’t be curious. Sometimes these pages may contain malware to infect your machine instantly. Our experts open these in a dedicated isolated environment.

A screenshot of the phish is shown below. The sender is clearly external and the link is external too (the safe way to see it is to hover on it with the cursor without clicking).



————————-

The fake credentials page:

ACTION REQUIRED

As the subject suggests this malicious actor employs the trivial scary tactics. You have to act fast or allegedly you will lose emails. As usual a fake UVIc-like page is
designed with the single purpose to steal our credentials.

The sender is clearly external and the link is external too (the save way to see it is to hover on it with the cursor without clicking.

Below you can see the email that many UVic users received today. Please never click on suspicious links, don’t be curious. Sometimes these pages may contain malware to infect your machine instantly. Our experts open these in a dedicated isolated environment.


The fake page looks like this:

“Invoices” and other infected Excel attachments

Today UVic users are attacked by emails containing infected Excel attachments. In some cases those impersonate UVic people and send to their colleagues (names redacted). In some cases the display name of the sender is just “uvic”. The sender address is clearly external. Note also their 044 phone numbers.
It can pretend to be an invoice or anything else as well.
Do not open these attachments!
Report by the phish button or call your desktop support for assistance.

 

You have pending incoming messages.

We see a  novel idea in the phish area today. This time they are trying to persuade you that MS Defender prevented delivery of email messages.
The sender is clearly external. The link to “review messages” is also external,
you can see it by hovering over it with the mouse cursor, without clicking.

Please do not click on such links out of curiosity, they may contain malware to infect your machine instantaneously. Our experts open those in a dedicated isolated environment.
The fake login page is pretty much like our regular Outlook Web Access page (aka OWA).

Final Important Notice !!

This phish claims roundcube mail was to be upgraded and asks you to click on a link that has nothing to do with UVic.  The sender is clearly external and if you hover over the link with the mouse cursor you will notice it is external too. Please do not click on such links out of curiosity, they may contain malware to infect your machine instantaneously. Our experts open those in a dedicated isolated environment.
The fake login page is shown at the bottom.

 

——————————————————————————–

Apparently the same actors sent the same link in a different phish, which has a different subject line but the same text in the body of the message. It looks like this:
———————————————

Below is the fake login page:

Password expiry for …

This phish was received by many UVic recipients today.  The usual tactic is employed – to scary the recipient to act fast, otherwise their password (allegedly) would expire. We don’t send such emails.
Note also the sender address — clearly external.
If you hover the mouse over the link (without clicking!) you will notice it is not a UVic address there. That link redirects to another which contains a CAPTCHA, to imply legitimacy, and after that you end up with the usual login page designed to steal your UVic credentials. The page contains your UVic email address thus implying you are at the right place. You are not.

=================================================================

 

This is how the fake page looks like:

It is important to remember that in some cases just loading the web page may get your workstation infected. This is why we always suggest not to be curious and not to click on such links even for a quick look. Our experts open those in dedicated isolated environments.