Author: Mario Ivanov

“Voice mail” phish has been around for years.
Yet some people see it for the first time and may fall victims. Generally it claims you have a voice message to hear. You click on the attachment but rather than a voice recording it is a html file which contains malware, or in more sophisticated cases – it redirects you to an external web page where you are supposed to hear the promised recording. That page may or may not require credentials – if you put your UVic credentials they get stolen and the attacker has access to all UVic resources that you have access to. The “recording” may in fact be malware which will take control of your workstation the moment you load it.  Moreover in some cases just loading the web page may get your workstation infected.

This is why we always suggest not to be curious and not to click on such links even for a quick look. Our experts open those in dedicated isolated environments.

Same trick is applied with all kinds of  alleged “documents”, for example the subject “Scanned documents” is heavily used by scammers.

---

Note the sender’s address and the .htm attachment.

 

This phish is circulating today. The link leads to a very precise copy of the real UVic login page, stored by malicious actors on some external server. As usual the goal is to steal your UVic credentials.

If you hover with the mouse cursor over the link without clicking you can clearly see the address of the fake page is not on uvic.ca.

We are showing below two examples of the same phish from two different recipients. The first did not subscribe to get the “External sender” banner, while the second did.  You can subscribe to flag external emails on this page (the bottom):
https://web.uvic.ca/sysprog/cgi-bin/spamhater.pl

---

 

---

 

---

Please don’t be curious and don’t click on such links because sometimes they may contain malware which can infect your computer in an instant.
The fake page is shown below:

This phish is circulating today. It uses the UVic logo and the link leads to a very precise copy of the real UVic login page, stored by malicious actors on some external server. As usual the goal is to steal your UVic credentials.

If you hover with the mouse cursor over the link without clicking you can clearly see the address of the fake page is not on uvic.ca.

Please don’t be curious and don’t click on such links because sometimes they may contain malware which can infect your computer in an instant.

This phish is circulating today, but we have seen similar in the past and perhaps there will be more in the future. What is common — they contain a malicious .htm or .html  attachment.

The one from today (see a screenshot below) raises too many red flags:

• It comes from some external sender.
• Voicemail from Teams???
• Claims the size to be 12Mb but it is actually very tiny.
• A voice recording wouldn’t come in a html file

Please ask the Helpdesk or your dedicated Desktop support person but never open these attachments if not sure about their legitimacy.

This one in paricular contains a link which loads up automatically in the browser when you open the attachment.  That page contains scripts that start downloading malicious content onto your computer.

Many UVic users received this phish today. It uses the UVic logo and a malicious link is disguised to look like belonging to UVic. In fact it points to an external address which you can see by hovering the mouse pointer over the link.
Obviously the sender is also external.

---

 

---

 

As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.

This phish was received by numerous  UVic recipients this morning. The malicious actors used the usual tactics – to scare the recipient to act fast in order to prevent their account from deactivation.
The link points to a webpage in the .hu domain which belongs to Hungary.
The senders addresses are different but most appear to be in the gov.jm  and go.ug domains.

This phish is circulating at UVic today. The malicious actors put some more effort this time. Not only the sender is spoofed to look like a legitimate UVic address but they used the UVic logo and the real address and phone number of the UVic helpdesk.
The link points to a webpage in Mexico designed to look as if belonging to UVic.

 

 

---

And below is a screenshot of the fake page  designed to steal your UVic credentials.  As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.

 

Another phish of this kind is circulating today.  It uses the usual tricks – something is wrong and you should act quick. The link however points to an external page.
That page looks like the standard OWA (Outlook Web Access) and is designed to steal your UVic credentials. See below screenshots of the phishing email and the OWA page.  Note the sender’s address.

As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.

 

Today, a lot of UVic employees received an email impersonating a chair/director/manager and trying to extort money. You can see a screenshot below. Clearly the sender is not internal, it is another “director” account registered at gmail for the sole purpose of scamming.  Your director would not ask you for such a favour by using their gmail. Even better – you can confirm with your director/chair/manager that they would never ask for a favour like that by email.
If in doubt – try to find them by using another channel e.g. a phone call .

Note also that the scammer missed to capitalize “I” 3 times in that letter.  Mistakes like that are common in scams.

This phish comes with a relatively innocent subject suggesting you were sent files by “wetransfer” (a free file exchange platform). It contains a “Get your files” button and a separate “download link” which on screen seems to point to wetransfer.com.
What’s really dangerous about this phish is that both the button and the download link in fact point to a malicious site which has nothing to do neither with wetransfer, nor with UVic.  The actual URL (pointed by the red arrow in the screenshot below) can be seen if you hover the mouse cursor over the link.   That site contains a copy of the main UVic page and asks you to login with your UVic credentials.  It looks so real that you may forgot what was the initial email about and you may forgot to check the address in the address bar.

——————————————————————————————-

And below is how the fake UVic page looks like. Note the malicious site address in the address bar.  As always – we suggest not to be curious and not to click on such links even for a quick look. Some of them may contain malware and infect your machine almost instantly. Our experts open those in dedicated isolated environments.

Many users received an email what is the typical beginning of a gift card scam today. Typically scammers register a gmail address. They like to include “executive” or “director” in the name of the gmail account to make it sound more convincing. Sometimes they include the name(s) or initials of the person that they impersonate.  Most frequently Deans/Chairs/managers are impersonated, but we’ve seen also impersonations of their respective assistants, as in the example below.
What we find new in the arsenal of con-artists is to add a brief explanation  “Sorry for using my alternate email”.
If in doubt we suggest you call the person on the phone or use their UVic address to determine if the request was legit.
Even better, if you are a dean/chair/manager/etc, just tell your people that under no circumstances you would ask them by email to buy gift cards for you.

This phish was sent in a massive wave to many UVic accounts today. The link points to a fake Outlook Web Access page which seems pretty similar to the real one. As you can see the sender Xing Wu from Germany has nothing to do with your supposedly blocked emails, uses the typical scaring tactics that you should act immediately and demonstrates some broken grammar. As we always repeat – please do not be curious and do not open those links, they may contain malware.

Malicious actors are trying a new trick this week. And it is gaining momentum because of the neat tricks of obfuscation they apply so that our automatic mechanisms cannot sort out such emails and more precisely such attachments.

The email subjects can be of any kind, for example this pattern is quite popular:

Fax Received: kakapena | 8/9/2021 5:44 AM

where the word after “Fax Received:” is the actual recipient’s name.

We’ve seen subjects without the recipient name like:

Incoming Fax notification 6:51:48 PM'

The subject is not important though. It could be any.  The body of the email is also unimportant. See an example below. The common thing is the attachment which is a .htm or .html file. If you double-click that attachment it will open in the default application which is your default browser and present you with a web page designed to look like belonging to UVic with the sole purpose of stealing your UVic credentials.  That’s the common type we are seeing recently.

Never click on  those attachments!
They may utilize other tricks leading to downloading of malware and potential compromise of your computer.

 

A colourful phish is circulating today. It has a flashy subject – [IMPORTANT] NOTICE and it tries to persuade you that you have to click the button in order to release a certain number of pending messages in your mailbox.  The malicious actor named themselves “Uvic Webmail Support” but they did not bother to spoof the sender’s address. It is obviously not a UVic address. Also if you hover the mouse cursor over the link you will see it does not point to a UVic page. As we always repeat  – Please do not be curious and do not click the link. Sometimes these pages may contain malware which gets installed in an instant. No matter you did not enter credentials, no matter you closed the bad page quickly. We investigate such pages in a special safe environment, the second screenshot shows how this fake Outlook Web Access page looks like. Apparently they targeted UVic specifically and used a UVic logo there.

—————————————————————————————————–

This is another phish circulating today July 29th.
Unlike the previous one, the sender obviously has nothing in common with UVic. But similarly to the previous one, their goal is the same – to steal your UVic credentials by pointing you to a fake Outlook Web Access page. Please do not be curious and do not click on the link. Sometimes those pages may contain malware and only by opening them, even for an instant, your computer may get compromised.