Images

Yesterday evening we were hit with massive phish, around 11k recipients.

Telltale signs:

1. Giving you the bait of 16.89% salary increase. Too good to be true!
2. Why would your salary increase notice be coming from ‘University of British Columbia’?
3. Although it says sender is ‘University of British Columbia’ but if you look at the email account, it indicates University of Alberta.
4. General Salutation, ‘Dear All’.

Whenever you get such phish emails, STOP before taking any action and THINK who would send you such an email if it were to be true. It would never be an external sender and would never have an attachment.

Never open any attachments  unless you were expecting one.

The attachment actually leads to the following sign in page. Hence, this phish is after your credentials.

 

The attachment was opened by InfoSec team in a safe and locked environment. Never be curious to do it yourself.

The new phish batch just arrived using a different ualberta account. Phishers corrected their mistake and changed the sender to ‘University of Victoria’, so as to appeal to our audience.

As we were enjoying our weekend, phishers were busy phishing.

Sunday morning we received large amount of phish, around 1K recipients. Telltale signs of this phish are: outside sender pretending to be UVic finance payments, no greetings let alone generic one, random attachment. The phisher was very thoughtful and has given the disclaimer at the bottom that it is the responsibility of the recipient if the attachment has virus and it affects your system.

Please be advised never be curious to open attachments if you were not expecting one.

The attachment is a fake PDF document asking for your credentials to open it. Hence, this email was to phish for your credentials.

This attachment was opened by Information Security Office in an isolated environment. Please never try to open any email attachments it can affect your system and UVic network.

 

Major phish hit observed by UVic community today.

This phish has the regular signs of spotting it. Generic greetings, created a sense of urgency that your accounts would be deactivated if not validated, sender is non-UVic: implying to be UVic IT service desk but the email is non-UVic. Hovering over the link reveals that it is not a UVic page, but the phisher tried to confuse by adding ‘uvic-ca’ to the URL.

Kudos to everyone who reported it!!!

This is another phish that spoofs noreply@uvic.ca but actually came from outside of UVic, similar to yesterday’s spoof phish. The warning to take action within 48 hours is a ploy to get you to act hastily and click on the link. However, if you were to hover over that link, you would find that it does not go to uvic.ca.

This phish claims to be from noreply@uvic.ca but that has been spoofed; it actually came from a non-UVic source. Note the odd space in “sen der” in the green banner–this is a major sign that the banner is a fake one added by the phisher.

As always, hover over the link before you click to see where it goes. Despite the fact that it claims to go to uvic.ca, its actual destination was a non-UVic site.

IT Service Desk Phish

A very generic phish recieved by a lot of UVic users today. Always hover over (or hold your finger on a phone) over the actual link to see if it looks legitimate. Do not click if you are not sure, and ask your IT support professional for assistance.

If you get an email instructing you to click a link to update your account or password, and it came from a free email provider like Gmail or Outlook.com, you can be pretty certain it’s a phish.

Phishers often abuse compromised Google accounts from other organizations to send file sharing phishes like the one below. Notice how this document claims to be associated with helpdesk@uvic.ca, so the fact that the sender is not from UVic is a major red flag.

This Bitcoin scam email was sent from a compromised UVic account, and one red flag not included in the screenshot below would have been the mismatch between the name in the signature block and the name of the account used to send the email.

An email with a subject “payment confirmation” is circulating today. To avoid detection the malicious actors made a huge executable file (containing the malicious code) then put that executable file into a .iso file and then zipped that .iso.
The zip file is about 2Mb in size and attached in the email.
Please do not open these attachments!  If in doubt, first ask your Desktop support person or the Helpdesk.

In the screenshot below it is shown the sender is an external one. As is usual for such campaigns they used many different sender addresses.

This phish is circulating since the early morning today. See a screenshot below.
As usual you are expected to act fast. Your password expires in 3 hours, and if you don’t act  your account will be deleted in 4 hours?!?  Isn’t that ridiculous?
The sender pretends to be a “System administrator connected to Microsoft Exchange”. They are clearly using some external address somewhere in Germany. They put themselves as a recipient and all other recipients received bcc: copies.

 

——end of the first screenshot ——

The link is external of course, and points to a fake login page that’s created to steal your credentials.

Please never click on suspicious links, don’t be curious. Sometimes these pages may contain malware to infect your machine instantly. Our experts open these in a dedicated isolated environment.
This particular fake page looks like shown below:

This phish is circulating around today.  See a screenshot below.
Of course something must be wrong and of course you have to act fast. The sender pretends to be a “uvic webmail support” but clearly is using some external address. Note how the malicious actor deliberately put space in some words in the message body in order to evade automatic detection of phish, e.g. in the words “vulnerability”, “click”, “below”, “validate”

The link is external of course, and points to a fake roundcube mail page that’s created to steal your credentials.

Please never click on suspicious links, don’t be curious. Sometimes these pages may contain malware to infect your machine instantly. Our experts open these in a dedicated isolated environment.

Same old tactics – scary the user there is something wrong to deal with fast, navigate to a fake page, steal your UVic credentials.

A screenshot of the phish message is shown below.  The link in fact points to an external site (that can be seen when hovering with the cursor above the link, without clicking).

 

A screenshot of the fake page is shown below

Please never click on suspicious links, don’t be curious. Sometimes these pages may contain malware to infect your machine instantly. Our experts open these in a dedicated isolated environment.

A typical phish attempting to take advantage of similar, legitimate emails was recieved by a number of UVic users today. The example below received by our Computer Helpdesk shows how malicious actors attempt to hide that this is a fake email in the sender display name, the url display name, and the body of the email. The link uses a URL shortener service and leads to a real looking, UVic branded login page, with your email prefilled in.
If you are not sure if an email is legitimate, ask your DSS, CHD or IT support expert for assistance!

Phishers are continuing to take advantage of the ongoing COVID-19 pandemic to try and get people to click the link. This phish also uses a URL shortener to hide the true destination of the link, which is a fake login page created by a free web form builder. Remember, always hover over the link to see where it goes before clicking, and be wary of shortened URLs in emails.