Phish Bowl

If someone you know (or at least had previously written to) had their mailbox compromised, the malicious actor who compromised it may try to target you by taking an old legitimate email thread and sending a new reply with either a malicious link or attachment. This trick is called thread hijacking and attackers use it to make their phishing attempt look more legitimate.

Thread hijacking cases often link to malware, so be extra careful around links or attachments until you’re able to confirm they’re safe. Be wary of unexpected replies to email threads that are very old or replies whose contents don’t seem to match the context of the original email. If the reply seems off to you in any way, don’t click on any links or attachments until you can check with the person through a different contact channel that you know is safe (e.g.: phone, video call or asking in person).

It can also be helpful to check the sender address for the reply. If it is unfamiliar or doesn’t match an email address that you already have for the person you had written to, the email is almost certainly a thread hijacking case.

Subject: [EXT] [****-ugrad-dept-****] FW: *UPDATED FORM* [faculty redacted] Undergraduate Achievement Bursaries: Application forms 2021-2022
From: [redacted] Administrative Officer / UVic <EEmard@irorica*****.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hi there,

Please review some latest documents for your department project:

https://outlet******.cl/met/?76539721

If you’ll have any questions, Please contact me.

From: [faculty redacted] Deans Assistant
Sent: September 28, 2021 10:33 AM
To: [redacted]
Cc: [redacted]
Subject: *UPDATED FORM* [faculty redacted] Undergraduate Achievement Bursaries: Application forms 2021-2022

This year, 13 bursaries of $1,500 each will be awarded to exceptional students in the Faculty of [redacted]. Students should be advised to return completed forms to the Office of the Dean by November 1, 2021.

TERMS OF REFERENCE:

Achievement Bursaries recognize undergraduate students who have demonstrated outstanding commitment to the pursuit of excellence in their endeavors. [Redacted] and other areas where individual expression becomes public are recognised through these bursaries. Recipients must have demonstrated financial need and a minimum 3.5 sessional grade point average for students continuing at UVic, or a 70% admission average for students commencing post-secondary studies for the first time.

University officers will distribute application forms to prospective students, who will complete and return them to the Office of the Dean, Faculty of [redacted] by the deadline.

This phish is for the curious mind, there is no context as to why it is sent as the email body is empty. Subject of the email has no meaning on its own just a vague combination of words. There is no reason for anyone to open the attachment, except if you are curious. When we couple curiosity with ignorance, it can lead to negative results, as would be in this case.

Hence, always look for warning signs in an email before taking any action and, think whether you were expecting such email. Never reply back to the scammers asking for more information as they intentionally give vague or no information. Never open attachments in an email, unless you are sure it is not a phish, as it can lead to malware on your device.

Subject: Student Letter
Sender: Irene Vila Ardiaca <*****.udl.cat>
Attachment: 2023 Student Grant Approval.txt

Today we received another variant of the Red Cross job scam phish. It uses the tactic of too good to be true offer to lure users. The sender email address is not official Red Cross email, signature used is vague and does not represent an official authority, asks users to reply from their personal email which is to evade UVic network detection, and the address to reply back is yet another email address external to Red Cross.

Never send your personal information to such scammers, always take the time to look for warning signs in an email. If you have already replied, and/or sent your resume to this email please reach out to helpdesk.

Subject: Flexible Part-Time Job
Sender: Noval Bawoel <****@iconpln.co.id>

The American Red Cross is hiring a Distribution Assistant for a part-time, home-based role with flexible hours and a weekly salary of $700. You’ll buy items online and deliver them to those in need in your local community, requiring 3 hours per day, three times a week. To apply, send your resume/application to Mathew Mammen at ****careers.com using your frequently used personal email.

Thank you for your interest.

Sincerely,

Mass Care Team
American Red Cross

_______________________________________________________________________
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus ( ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

Even if a document sharing email came from a legitimate service like Google Docs or Microsoft 365, you should still look at it carefully to make sure it’s legitimate. In this case, the phisher abused a compromised account from another  university’s Google tenant to send a Google Docs phish. The phisher even used a UVic professor’s name to make the email look more legitimate.

Phishes like these can be trickier to spot, but as a start, be wary of document sharing emails that you weren’t expecting, especially if they don’t come from someone you know. If you spot a mismatch between who sent the file and who the email says the file is supposed to be from, that can often be a sign that it’s not legitimate. Similarly, if the file is supposed to be from within UVic but it was sent by someone outside of UVic, the email is very likely to be a phish.

From: K***** (via Google Docs) <drive-shares-dm-noreply@google.com>
Subject: Document shared with you: “FALL FACULTY AGENDA 29 SEPTEMBER 2023.docx”

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

K***** shared a document

Unknown profile photo

K***** has invited you to edit the following document:

Dr. L****** shared a file with you.

FALL FACULTY AGENDA 29 SEPTEMBER 2023.docx

Open [link]

If you don’t want to receive files from this person, block the sender from Drive.

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this email because [redacted] shared a document with you from Google Docs. [Google logo]

High volume phish from a compromised account of another Canadian univeristy encountered, which tries to lure the user with too good to be true offer of salary increase. Phishing signs:

1. Sender email address external to UVic, which wouldn’t be the case if it was an official UVic notice.
2. Too good to be true offer, way too high an increase in salary.
3.  Generic salutation and signature.
4. Grammatical and capitalization errors, and unnecessary use of accents in the text.

Always look for warning signs in an email, and never open attachments in a phish not even for curiosity as it can lead to infecting your device. Always think if you were expecting such an email, if still in doubt contact your departmental IT support or helpdesk.

Subject: 16.89 % Salary Increase Letter 29 September 2023
Sender: [redacted sender email address]
Attachment: UVIC SALARY_protected.pdf

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Dear All,

Sequel to last wéék notification, find encloséd héré-undér the létter summarizing your 16.89 percent salary increase starting 29 September 2023

Αll documénts are enclosed héré-undér:

NOTE: Your Αccess is needed to go through the salary increment letter, Initial Αccess is Salary

Payroll & Employee Relations

 

This phish uses sense of urgency trick and demands action from the user. There is no reason for users to be clicking on links in such emails that have obvious phishing signs: there is no context as to why this email was sent, the sender is external to UVic, no signature and salutation, and the link given is external.

Never click on links given in phishing emails, always take a moment to look for warning signs in an email. Whenever in doubt confirm with helpdesk.

Subject: Webmail account validation for uvic.ca user(s)
Sender: ICANN Domain Validation <*****@nwebsupport.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Verify your email address

To continue using your email account (*****@uvic.ca), please verify that this is your email address.

[Phishing link]

This link will expire in 3 days. If you did not make this request, please disregard this email.
For help, contact us through our Help center[Phishing link].

Another run of American red cross job scam with a different subject and sender, nevertheless same agenda, to scam users. Please review the post below on how to spot phishing signs in such scams.

Flexible Part-Time Job

Subject: Part-Time Red Cross
Sender: Ratih Fidiawati <****@iconpln.co.id>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

The American Red Cross is hiring a Distribution Assistant for a part-time, home-based role with flexible hours and a weekly salary of $700. You’ll buy items online and deliver them to those in need in your local community, requiring 3 hours per day, three times a week. To apply, send your resume/application to Mathew Mammen at ****careers.com using your frequently used personal email.

Thank you for your interest.

Sincerely,

Mass Care Team
American Red Cross

_______________________________________________________________________
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus ( ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

Malicious actors deployed a bunch of phish against UVic recipients today. The trick they apply is to use some authentic text sent by a UVic person. In some cases that’s a mass-mail sent a year ago to hundreds of recipients, in some cases it is just the out-of office message of somebody. In all cases they add a line of theirs on top of the legit text — “please check the attachment”. The sender address is different. The display name may copy a name from the original email thread. The attachment itself contains a link to the actual malicious content. A screenshots of a few examples are shown below. The pdf attachments are usually having a very short name – one or two characters. (however that doesn’t mean that every attachment with a long and meaningful name is legit). Be vigilant, apply common sense and don’t open attachments from suspicious emails (unknown sender, unsolicited, etc.).

 

---

---

---

 

The PDF itself looks like this:

Job scam impersonating UVic professor to make the job employment look legit. We have been continuously seeing these types of scams, please pay attention to the phishing signs before taking any action. Here are some easy to spot phish signs:

• External email address, which wouldn’t be the case if it was coming from UVic office.
• Salary offered is too good to be true.
• The email contains errors in punctuation and formatting.

Never reply to such scams and take a moment to look for warning signs. Most of these scams are to defraud you of money.

If you responded to the scammer, contact the Computer Help Desk for assistance, especially if you sent money or personal information. If you forwarded the email to other people, recall the message and warn the recipients as soon as possible.

 

Subject: Job Opening
From:[professor name] <*****@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

University of Victoria, Department of Psychology requires the services of students to assist with research projects on campus. The successful candidates will work closely with our research team to support ongoing data collection, and analysis . They are to work remotely and get paid $400 weekly.

Responsibilities:

Assist with the design and implementation of research projects on campus
Conduct literature reviews and summarize key findings
Collect and analyze data using appropriate statistical methods
Prepare and present findings to the research team
Perform administrative duties such as scheduling, data entry, and record keeping
Assist with writing research reports and manuscripts for publication
Recruit participants and conduct research studies
Qualifications:

Excellent organizational and time management skills
Strong attention to detail
Availability to work on campus or remotely
Proficient in Microsoft Office (Word, Excel, PowerPoint)
This is a part-time position with a flexible schedule, and the successful candidate will work approximately 7 hours per week. The position offers valuable research experience, and the opportunity to work with a dynamic and collaborative research team on campus.

To proceed with the application process and other eligibility descriptions, submit your resume for review and approval for the position.

Best regards,

[professor name]

–
Professor
Psychology

–
Office: COR ***

Yet another job scam impersonating yet another organization, it is American Red Cross this time. As we have seen with other job scams, this one also offers too good to be true salary for working very few hours.

Other indicators of this being a job scam are: Sender address is not coming from an official Red Cross domain, the signature used is vague and does not represent an official authority, asks users to reply from their personal email which is to evade UVic network detection, and the address to reply back is yet another email address external to Red Cross.

Never send your personal information to such scammers, always take the time to look for warning signs in an email. If you have already replied, and/or sent your resume to this email please reach out to helpdesk.

 

Subject: Flexible Part-Time Job
Sender: Ayu Kawis Dimarta <****@iconpln.co.id>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

The American Red Cross is hiring a Distribution Assistant for a part-time, home-based role with flexible hours and a weekly salary of $700. You’ll buy items online and deliver them to those in need in your local community, requiring 3 hours per day, three times a week. To apply, send your resume/application to Mathew Mammen at ****careers.com using your frequently used personal email.

Thank you for your interest.

Sincerely,

Mass Care Team
American Red Cross

_______________________________________________________________________
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. PT. Indonesia Comnets Plus ( ICON+) is neither liable for the proper and complete transmition of the information contained in this communication nor for any delay and its receipt.

This job scam phish was circulated over the weekend with all the hints of being a fraudulent job offer. This email does not mention which company they are representing. The text gives a very generic and vague information about the job. Generic salutation, and signature are without any mention of who this person is. Also, text has grammatical mistakes.

These fraudulent emails mostly end up either stealing your personal information, or your money. Always, take the time to look for red flags in an email before taking any action mentioned.  Whenever in doubt, confirm with helpdesk.

This reddit post is also a good read, it was recently posted by UVIC to make students aware about such job scams: https://www.reddit.com/r/uvic/comments/16dpau2/be_on_alert_job_scam_reddit_post/

Subject: Job Offer
Sender: Xi Zang <*****sol.net.pk>

Attn

We are currently recruiting companies/individuals on behalf of our textile company located in Chine for a number of account receivable agents in North America. As an Account Receivable agent, you will be responsible for collection of all account receivables due to the Company in North America to directly support sales operations. This position does not affect your current job or business operations. Please email us if interested in the role or have any questions on the role.

Note: Monthly salary/ commission Applied.

Regards,

Xi Zang

This phish points to a latest phish tactic that asks the users to scan the QR code to open the phish url rather than providing the url within the email body. This tactic is used to avoid network security in place. The principles for detecting the phish remains the same, as in this case:

• The sender address is external and the sender name is fake.
• No context in the email body is given as to why this email is sent to you.
• No signature.
• Url of QR code goes to an external site. (Checked responsibly by infosec team)

Always take a moment before taking any action mentioned in an email, look for phishing signs and ask yourself if you were expecting such email. If the doubt still remains then confirm with the department or sender directly using other means of communication rather than replying to the phish email or you can also confirm with helpdesk. It is always better to be safe than sorry.

Subject: Uvic 2FA Salary Report For [redacted username]@uvic.ca Completed 07 September, 2023 09:44:47 AM
Sender: Payroll UPDATE for period ending 07 September, 2023 09:44:47 AM <redacted sender email address>

This message was sent with high importance.

[Image with Microsoft Teams logo and QR code.

Text in the image:
Scan the QR code with your CELL PHONE CAMERA to access your personalized performance review and Complete your salary review for timely payroll processing.

Please review security requirements within 72 hours to avoid delays.]

Confidentiality Notice: This Electronic message, together with its attachments, if any, is intended to be viewed only by the individual to whom it is addressed. It may contain information that is privileged, confidential, protected health information and/or exempt from disclosure under applicable law. Any dissemination, distribution or copying of this communication is strictly prohibited without our prior permission. If the reader of this message is not the intended recipient or if you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any copies of it from your computer system.

Even if an email came from within UVic, you should still examine it to evaluate whether it’s actually legitimate before you click on any links or attachments. In this case, a job scammer used a compromised UVic account to send out the fraudulent job offer below.

The email includes the following indicators that the offer is not legitimate:

• Errors in grammar and capitalization
• A generic signature that does not mention UVic, or give a specific contact person at either UVic or UNICEF
• Instructions to contact somebody else using your “alternative email address” (i.e.: your non-UVic email address) – the scammer does this to move the conversation away from UVic email to evade detection
• The weekly salary offered is quite generous and probably too good to be true, especially if it’s for a small number of hours per week doing simple tasks

Other red flags that are signs of a job scam:

• You are told to reply to an email address from a free email provider like Gmail, Outlook, Hotmail or Yahoo
• No interview is required to get the job
• You do not get to meet your employer/supervisor virtually or in person before getting the job

Do not open the attachment or send a reply. If you did, reach out to the Computer Help Desk for assistance.

Subject: 09/04/2023

Attachment: [Word document] UNICEF – Work from Home Ca.docx

To whom it may concern,

I am sharing a Job Information to students who might be interested in a Paid UNICEF Part-Time Job to make up to $500 CAD Weekly

Attached is further information about the employment schedule, if interested kindly contact Dr Nicholas Hoffman with your alternative email address for urgent details of employment

NOTE: THIS IS STRICTLY A WORK FROM HOME POSITION.

Regards,
Academy Career Opportunity

This phish is circulating today. It has no links, instead a well crafted text tries to persuade the victim to send their credentials by clicking “Reply-To”.  The sender address is spoofed so that the email looks like coming from the UVic Helpdesk. However the Reply-To address is different/external. Note that the UVic helpdesk would NEVER ask for your credentials. Neither by email nor by phone.
This is the first indicator that the email is phish.   Other typical tactics that we can see here is – scary tactics. Imply urgency “your account will be deleted”, “act fast” etc.

..

UVic Computer Help Desk will be performing an emergency systems maintenance which includes Updating/Migrating Accounts, MyUVic & Email Symantec Endpoint Protection Communication to a new SPAM filtering service which will improve Barracuda Spam Firewall Email Security Overview and the ability to identify and block Spam / Phishing attempts and other undesirable messages that flood our email system / server on a daily basis.

We have seen a recent uptick in phishing/unauthorized entry on your account login details, and we want to alert you to follow the resources available to protect your account and the school mailing system. Please be informed that UVic Help Desk will delete any UVic NetLink ID, Account, MyUVic & Email Users account that does not adhere to this notice IMMEDIATELY as part of our (Inactive Accounts Email Security Overview) and clean-up process to enable service upgrade efficiency.

We request that you re-confirm your UVic NetLink ID ( Email Account Login Details) as requested below for Migration, Quarantine Exercise and Protection against SPAM by clicking the reply button and replying to this email with your active UVic NetLink ID login details as follows. (This will confirm your University of Victoria Account login/usage Frequency):

Click on the “reply” button and Confirm your UVic NetLink ID credentials;

*      NetLink ID:
*      Password:
*      Email ID:

By re-confirming your active UVic NetLink ID details as listed above, you have abide by the University of Victoria Communications Policy.

NOTE: We will Permanently deactivate and delete your UVic NetLink ID credentials if you do not adhere to this notice immediately as part of our Inactive UVic NetLink ID credentials clean-up process to enable service upgrade efficiency.

Thank you,
<name>
======================

Computer Help Desk
University of Victoria
Clearihue A037.

Job scammers are once again impersonating real UVic professors when they offer fake research job positions. The red flags that indicate this offer is not legitimate are the usual ones:

• The emails come from Gmail addresses. A legitimate UVic job offer should be announced from a UVic email address.
• The salary offered is too good to be true given the very small number of hours per week to be worked.
• The email contains errors in punctuation, spacing and capitalization.
• In some cases, the name of the sender may differ from the professor mentioned in the email. Inconsistencies like this can be a sign that something is not right about the email.

Do not reply to these emails with your information. If you did, cease contact with the scammer and reach out to the Computer Help Desk for assistance.

Subject: Research Assistants Needed
From: [professor name] <*******@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

University Of Victoria , Department of Psychology requires the services of Graduate and Undergraduate students to assist with research projects on campus. The successful candidates will work closely with our research team to support ongoing data collection, and analysis . They are to work remotely and get paid $400 weekly.

Responsibilities:

Assist with the design and implementation of research projects on campus
Conduct literature reviews and summarize key findings
Collect and analyze data using appropriate statistical methods
Prepare and present findings to the research team
Perform administrative duties such as scheduling, data entry, and record keeping
Assist with writing research reports and manuscripts for publication
Recruit participants and conduct research studies
Qualifications:

Excellent organizational and time management skills
Strong attention to detail
Availability to work on campus or remotely
Proficient in Microsoft Office (Word, Excel, PowerPoint)
This is a part-time position with a flexible schedule, and the successful candidate will work approximately 7 hours per week. The position offers valuable research experience, and the opportunity to work with a dynamic and collaborative research team on campus.

To proceed with the application process and other eligibility descriptions, submit your resume for review.

Best regards,

[Redacted]

Position
Professor
Psychology
Contact
Office: COR ****