Similarly to our previous post, this phish was received by many UVic users today.
Such attachments may contain malicious scripts and macro’s. They may come from external senders but they may come also from internal compromised accounts. If unsure, ask your desktop support person for help, don’t be curious and don’t rush to open the attachments.
Many UVic users received a phish with this subject today. The text of the email looks quite trivial (see a screenshot below) but it leads to a very well copied fake UVic login page (also shown below). Another variation leads to a fake VPN login page. Note the address of the sender is external. Also it is easy to spot the links are external if you hover with the mouse cursor on those. Please do not click on them, do not be curious. Your computer may get malware even just by visiting such pages. Our experts investigate them by using specially isolated computers.
The email:
The fake login page:
The fake VPN login page:
“Voice mail” phish has been around for years.
Yet some people see it for the first time and may fall victims. Generally it claims you have a voice message to hear. You click on the attachment but rather than a voice recording it is a html file which contains malware, or in more sophisticated cases – it redirects you to an external web page where you are supposed to hear the promised recording. That page may or may not require credentials – if you put your UVic credentials they get stolen and the attacker has access to all UVic resources that you have access to. The “recording” may in fact be malware which will take control of your workstation the moment you load it. Moreover in some cases just loading the web page may get your workstation infected.
This is why we always suggest not to be curious and not to click on such links even for a quick look. Our experts open those in dedicated isolated environments.
Same trick is applied with all kinds of alleged “documents”, for example the subject “Scanned documents” is heavily used by scammers.
Note the sender’s address and the .htm attachment.
This phish is circulating today. The link leads to a very precise copy of the real UVic login page, stored by malicious actors on some external server. As usual the goal is to steal your UVic credentials.
If you hover with the mouse cursor over the link without clicking you can clearly see the address of the fake page is not on uvic.ca.
We are showing below two examples of the same phish from two different recipients. The first did not subscribe to get the “External sender” banner, while the second did. You can subscribe to flag external emails on this page (the bottom):
https://web.uvic.ca/sysprog/cgi-bin/spamhater.pl
Please don’t be curious and don’t click on such links because sometimes they may contain malware which can infect your computer in an instant.
The fake page is shown below:
This phish is circulating today. It uses the UVic logo and the link leads to a very precise copy of the real UVic login page, stored by malicious actors on some external server. As usual the goal is to steal your UVic credentials.
If you hover with the mouse cursor over the link without clicking you can clearly see the address of the fake page is not on uvic.ca.
Please don’t be curious and don’t click on such links because sometimes they may contain malware which can infect your computer in an instant.
This phish is circulating today, but we have seen similar in the past and perhaps there will be more in the future. What is common — they contain a malicious .htm or .html attachment.
The one from today (see a screenshot below) raises too many red flags:
Please ask the Helpdesk or your dedicated Desktop support person but never open these attachments if not sure about their legitimacy.
This one in paricular contains a link which loads up automatically in the browser when you open the attachment. That page contains scripts that start downloading malicious content onto your computer.
Many UVic users received this phish today. It uses the UVic logo and a malicious link is disguised to look like belonging to UVic. In fact it points to an external address which you can see by hovering the mouse pointer over the link.
Obviously the sender is also external.
As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.
This phish was received by numerous UVic recipients this morning. The malicious actors used the usual tactics – to scare the recipient to act fast in order to prevent their account from deactivation.
The link points to a webpage in the .hu domain which belongs to Hungary.
The senders addresses are different but most appear to be in the gov.jm and go.ug domains.
This phish is circulating at UVic today. The malicious actors put some more effort this time. Not only the sender is spoofed to look like a legitimate UVic address but they used the UVic logo and the real address and phone number of the UVic helpdesk.
The link points to a webpage in Mexico designed to look as if belonging to UVic.
And below is a screenshot of the fake page designed to steal your UVic credentials. As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.
Another phish of this kind is circulating today. It uses the usual tricks – something is wrong and you should act quick. The link however points to an external page.
That page looks like the standard OWA (Outlook Web Access) and is designed to steal your UVic credentials. See below screenshots of the phishing email and the OWA page. Note the sender’s address.
As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.
Today, a lot of UVic employees received an email impersonating a chair/director/manager and trying to extort money. You can see a screenshot below. Clearly the sender is not internal, it is another “director” account registered at gmail for the sole purpose of scamming. Your director would not ask you for such a favour by using their gmail. Even better – you can confirm with your director/chair/manager that they would never ask for a favour like that by email.
If in doubt – try to find them by using another channel e.g. a phone call .
Note also that the scammer missed to capitalize “I” 3 times in that letter. Mistakes like that are common in scams.
This phish comes with a relatively innocent subject suggesting you were sent files by “wetransfer” (a free file exchange platform). It contains a “Get your files” button and a separate “download link” which on screen seems to point to wetransfer.com.
What’s really dangerous about this phish is that both the button and the download link in fact point to a malicious site which has nothing to do neither with wetransfer, nor with UVic. The actual URL (pointed by the red arrow in the screenshot below) can be seen if you hover the mouse cursor over the link. That site contains a copy of the main UVic page and asks you to login with your UVic credentials. It looks so real that you may forgot what was the initial email about and you may forgot to check the address in the address bar.
——————————————————————————————-
And below is how the fake UVic page looks like. Note the malicious site address in the address bar. As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.
Many users received an email what is the typical beginning of a gift card scam today. Typically scammers register a gmail address. They like to include “executive” or “director” in the name of the gmail account to make it sound more convincing. Sometimes they include the name(s) or initials of the person that they impersonate. Most frequently Deans/Chairs/managers are impersonated, but we’ve seen also impersonations of their respective assistants, as in the example below.
What we find new in the arsenal of con-artists is to add a brief explanation “Sorry for using my alternate email”.
If in doubt we suggest you call the person on the phone or use their UVic address to determine if the request was legit.
Even better, if you are a dean/chair/manager/etc, just tell your people that under no circumstances you would ask them by email to buy gift cards for you.
This phish was sent in a massive wave to many UVic accounts today. The link points to a fake Outlook Web Access page which seems pretty similar to the real one. As you can see the sender Xing Wu from Germany has nothing to do with your supposedly blocked emails, uses the typical scaring tactics that you should act immediately and demonstrates some broken grammar. As we always repeat – please do not be curious and do not open those links, they may contain malware.
Malicious actors are trying a new trick this week. And it is gaining momentum because of the neat tricks of obfuscation they apply so that our automatic mechanisms cannot sort out such emails and more precisely such attachments.
The email subjects can be of any kind, for example this pattern is quite popular:
Fax Received: kakapena | 8/9/2021 5:44 AM
where the word after “Fax Received:” is the actual recipient’s name.
We’ve seen subjects without the recipient name like:
Incoming Fax notification 6:51:48 PM'
The subject is not important though. It could be any. The body of the email is also unimportant. See an example below. The common thing is the attachment which is a .htm or .html file. If you double-click that attachment it will open in the default application which is your default browser and present you with a web page designed to look like belonging to UVic with the sole purpose of stealing your UVic credentials. That’s the common type we are seeing recently.
Never click on those attachments!
They may utilize other tricks leading to downloading of malware and potential compromise of your computer.
