Author: Eric van Wiltenburg

A view into a fake job scam

Scammers routinely attempt to target students with job scams, taking advantage of those trying to make ends meet or pay tuition and rent with a seemingly-attractive job offer.  In reality, the victim is asked to deposit a fake cheque and immediately send an e-transfer from their personal banking account.  Given the cheque is fake, the victim will see the deposit cancelled/reversed by the bank, and they will have lost their own personal funds.

Recently I had the opportunity to play the role of the victim using a persona configured for this purpose.  The following are some screenshots of SMS messages and emails that give insight into how the attacker works and how a victim might be fooled into giving up their hard-earned personal funds.

Note that some details have been redacted.  Also, do NOT try this yourself.  This is posted for educational purposes only.

A recent phishing attack included form fields for username, password, and cell phone number.  For this attack, a fake username and password were entered, as well as a temporary phone number from a SMS app.  A couple weeks after the data was entered into the form, I received a text at that temporary number.

 

The attacker tries to pivot off of @uvic.ca email so that the information security team can’t discover or block the fraudulent activity.  The use of SMS is also a common tactic for scammers to move the conversation off university infrastructure.  I had to quickly create a new Gmail address to engage with the scammer.

In my brand new Gmail account, I receive an email about the job offer.  “Mark” is careful to make sure I know why I won’t be interviewing in person (or by Zoom) just to make sure I won’t ask questions.  I carefully read the email, and then I respond with the requested information (plausible, but fake answers, knowing that Mark wouldn’t actually read them or care about them).

Date: January 19! , 2024 Hello Garry Zebaurelios I would like to apologize about our unseemly approach if this interview conducting method is unprofessional to you or if you are new to all this, but we believe the world is always advancing and so it is important to stay on top of things as change is inevitable. This is going to be a chat interview as a result of the bulkiness and complexity of the messages and I believe you are ready for the job briefing. Concerning the Personal Assistant Job that you have applied for. I am glad to congratulate you as your position has been confirmed. So sorry we couldn't meet up before you get started with work as I am presently away on a business trip in Australia running some network programs. I will be back to the states in 3 weeks or less, but be rest assured that you can officially get started. As soon as I have arrived we can discuss more issues. I really need the helping hand on my daily schedules. Working remotely as Part time/Full time Personal Assistant. NB : There will be no Interview till I'm back in person. Duties and Responsibilities: * Donations * Schedule Meetings * Booking Travels and Accommodations * Perform Market Research Where Applicable * Purchase Supplies First Task: However, your first tasks for this week will be as follows. You will be booking a reservation for some of my guests for an upcoming event which is taking place next week. Further instructions as to how to make the reservations will be forwarded to you before the end of the week. However, the funds to book for the reservation plus your payment for your first task will be sent to you via a cashier's check. Any other task arising will be duly communicated to you also. So I'll need you to be on-time and prompt with your response to my mails. * Firstly I would like you to attach a copy of your resume. * Your Full Name that will be on the Check Payment(First and Last Name) * Do you have an existing savings/checking account where you will deposit your check? (If YES What's the bank name) * Reconfirm your present local address for mail delivery. * What is your Mobile # that receives text messages? * Do you know how to initiate a mobile deposit? * What is your mobile daily deposit limit? Kindly make sure you acknowledge this email as that will re-confirm your readiness and willingness to proceed. Make sure to constantly look at my email and will be on stand-by to receive future instructions. I will be expecting your prompt response to my email in order to attest to the receipt of my messages. Thank you. Regards mark begger

 

And there it is!  I’ve gone through the very difficult interview process and have now become Mark’s employee.  And I’m really looking forward to my 401k (a US financial instrument, even though I’m Canadian), multiple employment benefits, and a sign-on bonus!  All for $450 per week.  Time to quit my CISO job for the lucrative opportunity….

 

Of course, I have to be polite and let Mark know how excited I am.  I wonder if he knows how “schmincere” I really am.

 

I am soooooo ready for the first task as my boss’s new personal assistant.

 

 

Amazingly, Mark emails me instructions on how to do a mobile deposit for the fake cheque using two devices.  The support and instruction is superb for a new employee.

 

While I review the instructions, Mark pretends to have the bank endorse the cheque, so that I will be more comfortable doing the mobile deposit.  Knowing the bank has blessed it makes me feel so much better.  And of course, he gives me some great instructions on how to deposit, just so I get it right.  Maybe Mark has worked at a help desk before.

 

Here is where it get’s even more interesting.  Mark emails me an image of a cheque from Royal Bank (I had indicated in my job application that I banked at Royal Bank).

The cheque appears to be plausible, if not legitimate.  The transit numbers were validated using an online bank routing database, and matched the branch address information on the cheque.  The names and address of the people on the cheque seem to be real, or at least based on a real person, from what I could tell from a searches of Google and Google Maps.

For most people, this look like a legitimate cheque… except that it’s a picture of a cheque, not a paper one.  (Note that I’ve reported this to Royal Bank.)

 

Now that I have some interesting information from Mark, I wanted to play a little and see if he noticed I was on to the scam.  I don’t think he picked up on the confirmation number I received when I “deposited” the cheque.

 

Mark’s name shockingly didn’t match the names on the cheque, so of course I had to see what reason he would give for that…

 

Mark still hasn’t told me what kind of business he is in, so I ask him, and of course it doesn’t even match the kind of business mentioned on the fake cheque.  Clearly he doesn’t want to share lots of detail, and he has an urgent job to do.  He provides me the name and email address to which I need to send an e-transfer.  (I’ve reported this to Interac support for their awareness and action.)

 

We suspect this threat actor is possibly of Nigerian origin, based on some past activity.  I decided to see if Mark would get another hint that I knew it was a scam, by mentioning Black Axe, which is a notorious Nigerian crime organization.

 

Mark is too busy for small talk and personal chatter.  I dropped another hint for him.  Air Lords are another known Nigerian criminal organization.  Perhaps Mark isn’t familiar with them, or maybe he’s not really reading what I’m saying.

 

Earlier Mark had sent me the name and email address of the person to whom I was supposed to send the e-transfer.  I looked up the person’s name on social media, and came back with several results, with multiple profiles indicating they lived in a particular town in Nigeria (surprise!).  So, I used that town name as a confirmation code.  I wonder if Mark started to suspect something…

 

I think he’s on to me….

Mark and I eventually got tired of each other, and the conversation ended up dwindling after nearly 24 hours.

Hopefully this gives some insight into how someone could become a victim of such a scam and how the scammer tries to extract money from victims.

You have new held messages

Sometimes organizations ‘quarantine’ email messages that might be suspicious, allowing the end user to review before releasing them to the user’s mailbox.  This phish tries to fool the user into thinking they have messages that need to be released from that quarantine.

In this case, the fake login page was hosted on the Google Firebase storage service.  The attacker used the UVic martlet image to try to fool users into thinking this is a legitimate UVic service, which it’s not.

Tutor Scam – Cheque Overpayment

A student recently reported a variation of a cheque overpayment scam involving an advertisement seeking a tutor for a high school student.  This tutor scam began with an innocent-looking email to the department, which was forwarded to interested students.

When the student emailed the supposed parent, the response seemed fairly believable but already contained signs of the typical scam.  The short-term nature and the involvement of a nanny, while plausible, are scam characteristics.

Next the scammer asked for some personal information, and indicated payment would be made in advance.  Both of these are additional warning signs of the scam.

Finally, the scammer indicated the cheque would have more than the agreed-upon fee due to some extenuating circumstance, and that the student/tutor would be expected to give the additional money to someone else (the nanny, in this case).

Thankfully the student realized this was a scam and reported it to their department.  Victims of these scams can lose thousands of dollars when the cheques eventually bounce.

If you are a UVic student and have seen these scams, report them to the Computer Help Desk.

I want a very quick response from you

Scammers use multiple tactics to avoid detection.  In this example, a likely gift card scam attempted to pivot to using SMS (text messaging) by asking for a staff member’s personal cell phone number.  If successful, it would move the conversation with the scammer away from email systems to avoid detection of the conversation, and may have resulted in disclosing of a personal phone number to a scammer.

Signs this might be a scammer include a fake external email address, the urgency of the subject line, and the request for a personal number.  The email warning banner at the top also indicates it didn’t originate from a UVic email address.

Someone who sent their cell phone number might have received a text message conversation starting out like this:

To see what a typical gift card scam email conversation might look like, check out a recent CISO Blog story detailing an interaction with a President Jamie Cassels impersonator.

Invoice Payment Redirection

An email account at one of UVic’s suppliers was compromised.  The attacker accessed the email account at the supplier and attempted to have staff at UVic send payment to a bank account owned by the attacker via wire transfer.

While the staff person in this particular department did not immediately suspect a fraud attempt, they eventually called the supplier contact and confirmed with the supplier that they did not send those emails.  No payment was sent.

Below are redacted screenshots of emails sent by the attacker.  If you receive similar emails, contact your supplier using a phone number you already have on file, inform UVic Accounting, and contact the Information Security Office.

This is the initial contact from the attacker:

The attacker starts to get demanding here:

And finally, the attacker forgets that improper spelling and grammar is a strong indicator that something is wrong:

Job Application

These emails often have varying subject lines ( for example, “Job Application”, “Regading position”, “Regarding job”, “Job Posting”).  The also use random names in the body and attached filename.  Do not open the attached Excel spreadsheet file, as it is malicious, and definitely is not related to any job posting or application.

Mailbox termination Alert

This one tries to fool recipients by saying “Message from Trusted server”.  It also tries to appear legitimate by making the URL displayed look like a valid UVic Outook Web Access URL (mail.uvic.ca), but the real link goes to a malicious web page sporting a fake OWA login page.1

UVic End User

This phish tries to trick the user into thinking they broke the law or violated policy:

It redirects to a phish page complete with UVic Edge branding, logos, and terminology.  While it looks pretty and official, it’s certainly phishing.

Once you enter your NetLink ID and password, it presents you with a nice Thank You page:

Outlook Security Update

This phish mentions phishing to trick you into thinking it’s a legitimate email.

However, it goes to a URL that is clearly not a Microsoft site.  Notice how the word “Password” has been changed to use special characters to avoid detection by automatic scanners.