ADVANCE (WARNING)

This phish is circulating today. It applies the usual tactics of scammers to scare the potential victims that something is wrong and should should act fast.  The sender is external, the link points to an external site designed to look like a UVic login page with the goal to steal your UVic credentials. Please do not be curious and do not click the links because sometimes they may contain malware to infect your computer instantly.

Here is a screenshot and transcription of the phish:

Your University of Victoria account has been filed under the list of accounts set for deactivation due to retirement/graduation/or transfer of the concerned account holder. But the record shows you are still active in service and so advised to confirm this request otherwise give us reason to deactivate your account.

Please Verify your UVIC account immediately to avoid Deactivation Click

UVIC<link to external site>

Please note this one-time submission and entry only..

Warm Regards,
Office of the Registrar

Research Opportunity Available

Job scams are on the rise and UVic keeps getting newer and newer campaigns of such scams. There has already been a lot of posts in the past about spotting job scams. Here are a few that can be checked out:

https://onlineacademiccommunity.uvic.ca/phishbowl/2024/03/14/your-invitation-to-participate/

https://onlineacademiccommunity.uvic.ca/phishbowl/2024/01/10/work-study-opportunity/

https://onlineacademiccommunity.uvic.ca/phishbowl/2024/01/29/stmicroelectronics-ltd-looking-for-representative-in-your-area/

Job scam impersonating UVic professor with subject "Research Opportunity Available".

 

Subject: Research Opportunity Available
Sender: Prof. Cl**** Ca**** <****@gmail.com>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

University of Victoria, Faculty of Engineering and Computer Science is currently seeking the services of Research Assistants to join the Department of Computer Science under the supervision of Professor **** at the Software Engineering Global Interaction Laboratory for 6 hours weekly.
The primary Research is in the area of Natural Language processing (NLP) where our goal is to develop algorithms and systems that will vastly improve a users ability to find, absorb and extract information from online- text .
The group’s research generally proceeds at two levels; We focus both on building real systems for large-scale natural language processing tasks and on developing techniques to address underlying theoretical problems in the syntactic, semantic and pragmatic analysis of natural language
Responsibilities:
Assist with the design and implementation of research projects on campus
Conduct literature reviews and summarize key findings
Collect and analyze data using appropriate statistical methods
Graduate and Undergraduate students interested in working with Professor **** should submit a copy of their current course schedule and resume for review.

 

Best regards,

[redacted professor name]
Position
Professor
Computer Science
Contact
Office: ****

Notification for Refund Return

The tax return season has started, and scammers have begun exploiting this period again. Typically, they try to persuade you to click on a link by pretending that something was wrong with your tax return, or you need to “sign” something, as in today’s example.

Please stay vigilant, do not click on these links. They may contain malware to infect your computer instantly or they might be designed to steal your credentials.

Your request has been processed successfully and is now ready to be signed

Document online <link>

Please view your document securely using the following confirmation code :
050916

#Your Invitation to participate..

Job scammers are continuing to try to take advantage of students looking for extra cash to help pay for tuition, housing and other essentials in these times when the cost of living is so high. Below is yet another job scam that impersonates a real UVic professor.

For more information on job scams and how to spot them, see also these guides from CBC News and TD Bank.

Red flags to watch out for
  • The email came from a Gmail address. A real UVic job opportunity should be announced from a UVic email address. Ones that come from a free email provider like Gmail or Outlook are probably scams.
  • The pay is too good to be true for a part-time student job that requires no prior experience and is open to anyone.
  • The offer implies that there will be no job interview before you get assigned a work schedule. A legitimate job should give you a chance to meet the employer in person or on a video call before you accept an offer. If you are accepted without an interview, the job is very likely to be a scam.
  • The email asks you for an alternate email address and cell phone number. Scammers often do this to shift the conversation away from UVic email and evade monitoring.
  • The subject line contains punctuation errors.
Common methods that the scammers use to steal money from people who reply
  • They ask you to purchase gift cards from a local store and send photos of the cards with the PINs revealed. That gives the scammer the information needed to use the funds on the cards. The scammer either will not reimburse you at all or give you a cheque that will ultimately bounce a few days later.
  • They give you a cheque to deposit and tell you to transfer some of the funds to another person and keep the remaining funds (cheque overpayment scam). A few days later, the cheque will bounce, meaning the amount you transferred is gone from your own funds.

If you replied to the scammer, reach out to the Computer Help Desk immediately for assistance.

From: Dr. [redacted] PhD.
Subject: #Your Invitation to participate..

You don’t often get email from dg3******@gmail.com. Learn why this is important.

Hello,

If you may be interested in working as a temporary research aide collecting data remotely and earning $300 weekly, indicate interest by providing the required information below and I will send you a follow-up email detailing your work schedule.

This is an adaptable job that requires no prior experience irrespective of your major discipline.

Full Name:
Cell #:
Alternate email:

Regards,

Dr. [redacted] PhD.
Professor,
Health Information Science
HSD Building, A***
Victoria BC   Canada

Payment Confirmation

Always be wary of unexpected or unsolicited emails that contain attachments as they may contain malware. The vagueness and generic nature of this message should be a red flag and may be a ploy to get you to click on the attachment. Since the message does not address the recipient by name and provides no information about the supposed payment, it’s likely that it was a mass mailout and therefore not a legitimate invoice.

If you’re inclined to think that the attachment should be harmless because SVG is an image format, think again! SVG files can actually contain embedded scripts, meaning they can be laced with malware, which is definitely the case for this sample. If you clicked on this attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Vague email claiming to be an invoice but the SVG attachment actually contains malware

From: allen.lopez@o******.com
Subject: Payment Confirmation

Attachment: [Generic file icon] RTVBAS05GDBA09.svg (2 KB)

Payment Received, attached is your invoice.

Phish with excel file attachment

Phish with attached excel file has been circulating this morning. It has different subjects such as “Fwd: Products#<random number> “, “PO# <random number>”, or “Scan#<random number>”

These phishes are being send by many different random senders. Email body is also different but generally mentioning about some payment that needs to be remitted. In any case, the attacker is luring the users to open the attachment so that malware can be installed on the devices.

Please be aware of email attachments and open only the ones you are expecting and being send from a known sender. If still in doubt, always confirm with sender using a known contact information.

Phish with malicious excel file attached.

Subject: PO# W1834414259
Sender: Mariana Benitez <****@minaretmusings.com>
Attachment: scan-28-02-24_591.xlsx

Dear,
Repairs made to both the tire changer and the balancer. 2024 spec updates for the alignment machine.
Your invoice-RCH224-735 for 2,560.31 is attached. Please remit payment at your earliest convenience.
Thank you for your business – we appreciate it very much.
Please make payable to our company.

“Hello!” or “Greetings!” job scam email

These job scam emails appear to have come from compromised accounts at another Canadian university. Always evaluate whether the content of the email looks legitimate, even if it came from what would normally be a reputable source (even if it came from within UVic!).

This email has many of the typical signs of a job scam:

  • The email directs you to reply to an AOL email address from your personal email. If you are asked to apply to a job by contacting an address from a free email provider, in all likelihood it’s a scam. The request to shift to personal email is a tactic to shift the conversation to a place that UVic can’t monitor.
  • The salary is too good to be true.
  • There are no details about what the job involves.
  • There are grammatical errors including mistakes in capitalization.
  • The email claims to offer a job with the World Food Programme, but they did not send the message and the name of the contact person doesn’t match the name of the sender of the email.

If you replied to the scammer, contact the Computer Help Desk immediately for assistance.

Job scam email claiming to offer a generously paid part-time job with the World Food Programme

From: [redacted]@**********.ca
Subject: Hello!

I am sharing job opportunity information to anyone who might be interested in a World food programme Part-Time job with a weekly pay of $600.00. If interested, kindly contact Dr. Mattias on his email address. b******b@aol.com for details of employment.

You can contact him from your private E-mail address only.

“Work-Study Opportunity” and similar job scam emails

These job scam emails are very similar to previous ones we’ve written about. Scammers are continuing to try to take advantage of students’ financial need by offering a relatively generous amount of pay for a small amount of remote work.

Other red flags:

  • The email came from a Gmail address. A real UVic job offer would come from a UVic email address. Job offers sent from addresses from free email providers are typically scams.
  • The name of the sender doesn’t match the name of the professor supposedly offering the job. Inconsistencies like this can be a sign of a scam.
  • The scammer wants to shift the conversation to Google Chat. This is a common tactic to move the conversation away from UVic email to evade monitoring.

As always, if you replied to this email, contact the Computer Help Desk immediately for assistance.

Job scam email impersonating a UVic geography professor, sent from a Gmail address

From: Nwabueze Ekene Precious <[redacted]@gmail.com>
Subject: Work-Study Opportunity

The service of a student is urgently required to work part-time as a student assistant and get paid $250 weekly. Tasks will be done remotely and work time is 8 hours/week. To apply, kindly submit your resume and a Google chat email address to the Department of Geography via this email address to proceed.

Sincerely
D***********
Professor
Department of Geography
Office: [redacted]

Please find the attached

Just because a message appears to come from within UVic doesn’t necessarily mean it actually did. This example actually came from an external source but spoofs a UVic sender address.

Always be wary of unsolicited or unexpected emails that contain attachments since the attached file may contain malware, as is the case with this email’s ZIP attachment. The brief, vague message body that gives no indication of what the supposed documents are about is an additional red flag. If you clicked on the attachment, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Vague email with a spoofed UVic sender that contains a malware-laced ZIP attachment

From: *******@uvic.ca
Subject: Please find the attached

Attachment: [ZIP file] Docs.zip (3 KB)

Please find the attached documents.

Thanks.
Khelmer

You have got an urgent message from The University of Victoria

This targeted phishing email takes the unusual step of asking you to send a text message to a phone number. Trying to quickly shift to a different communication method is often a red flag; phishers (and scammers) do this to move the conversation to a place that UVic can’t monitor. Real UVic communications will never ask you to send a text message to upgrade/keep/secure your account, and the fact that the phisher is using a phone number with a New York City area code is a further sign that the email is not legitimate.

Other red flags include:

  • The email was sent from a Gmail account. Note how the email system has added a warning that you don’t often get email from this address; this can be a sign that the sender is not someone you know already and may not be trustworthy.
  • The greeting is impersonal.
  • The email threatens you with an adverse impact to try and get you to act hastily.
  • There are a few grammatical errors and awkward wording choices.

If you texted the phone number in the email, disregard any instructions in any replies you receive and block the phisher’s phone number. You will also need to keep an eye out for future attempts to phish or scam you via SMS or phone calls as your phone number would now be in the hands of someone malicious.

Spear phishing email claiming to be from UVic when it actually came from a Gmail address. Instead of including a link, it asks you to text an American phone number.

From: ke*****1280@gmail.com on behalf of University of Victoria <g1*****+UniversityofVictoria@gmail.com>
Subject: You have got an urgent message from The University of Victoria

[You don’t often get email from g1*****+universityofvictoria@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification]

Dear User,
This is to let you know that our web-mail server will be upgraded and maintained soon.

If you don’t want your e-mail account to be terminated during the upgrade,

Send your “UV-UPGRADE” to (646) ***-****

You will receive instructions on how to upgrade your account via text message.

If you do not comply with the above, your email access will be disabled.
Please accept our apologies for any inconvenience this may cause.

Regards
System Administrator
University of Victoria

Request for refund

This phish was received by many UVic mailboxes this morning. It seems to come from a UVic address, but there is no such address – it is spoofed by the external sender. They set however an external “reply-to” address. Please do not reply with anything and do not open the attachment. The zip contains a malicious file loaded with trojans.

Hello!

I hope this email finds you well. I am writing this mail to inform you that the item i purchased has been damaged.
if i wish to return it and get a refund, i would like to know the procedure. I tried contacting the phone number, but
none of my calls was answered.

I would appreciate it if you could look into this and get in touch with me as soon as possible.

Attached is the proof of the damaged item.

Thanks.

Peterson Webley..

 

Please confirm receipt..

Always be extremely wary if you get an unsolicited email with a ZIP attachment, especially if the sender address isn’t one that you recognize. There’s a good chance the attachment contains malware, and that holds true for this example. The vagueness of the message and poor grammar are also red flags.

Do not click on the attachment–if you did, contact the Computer Help Desk or your department’s IT support person immediately! Also, do not forward these sorts of emails, even if your intent is to warn others, because forwarding the message inline will leave the attachment exposed where someone else can mistakenly click on it (it’s safer to send a screenshot instead).

Malicious email containing a malware-laced ZIP attachment.

From: ga******@******group.com
Subject: Please confirm receipt..

Attachment: [ZIP file] 87645345.zip (4 KB)

Hello,

Please acknowledge upon receipt of my today payment.
via (e-transfer)

Thanks

Irene Cordero.

You received a new Voice_message Phish

This phish has been making its way around many Canadian higher education institutions. It’s an email messaging asking to click on a link to listen to a voicemail message.

The ‘This Message has been scanned by antivirus and its safe’ messaging is a commonly used hook to make the email appear more legit. Other tricks the attacker is using here includes using a sender name spoof of ‘VoiceMail’, including the recipient email address as an ‘ID’, and including a nearly current date and time. The phishing email also attempts to convey urgency by stating the message will be deleted soon.

Some clear signs that this is a phish are that the sender is not from uvic.ca, and if you hover over the ‘Listen’ link (or long press on it on a mobile device), you can see it does not go to a uvic.ca website.

As usual, we recommend reporting phishing messages and deleting them. If you did click the link – even if you didn’t enter credentials – please change your passphrase and advise your IT support so they can check your device and advise Information Security to look for anything suspicious on your account and device.

 

STMicroelectronics Ltd Looking for representative in your area

Job scams have become common these days, trying to attract victims looking for part-time jobs to support themselves, especially in today’s tough financial times. Scammers take advantage of prospective candidates/victims by offering higher than expected pay for the amount of work required. If an offer is too good to be true, then probably it is.

The following job scam impersonates STMicroelectronics, offering a part-time job for enormously high pay. No matter what type of job scam it is or which organization is impersonated, the questions to ask yourself to spot these scams remain the same:

  1. Why are you receiving this email? Did you even sign up with this organization to send you job offers or did you ever apply with this organization? Try to think of a plausible explanation as to why did you get this email, if you don’t know then it is a scam.
  2. If you still somehow think of a reasonable reason to go beyond the first point, then look at the senders email address, which domain (domain is the part of the email address after the symbol “@”) is it coming from? Is it coming from the same domain as the organization claiming to send this job posting? Like, in this case, the domain should have been st.com but the sender email address is coming from a different one. One way of finding the real domain of an organization is to do a google search about it.
  3. Salary offered is also one of the strong indicators of spotting a scam. Generally, the salary offered would be much higher than the minimum wage for less amount of work than a regular part-time job. Why are they offering such a high salary? Obvious answer is, to scam you.
  4. Try reading the job description, are you able to make sense of what type of position is being offered? Usually, it is described in a very ambiguous manner, just giving you enough that it sounds like some job but not what the job is. And they ask you to reply with details first before revealing any more details. Should you be applying for a job where you don’t know what the job is?
  5. Generic salutation which is a sign of mass send email to unknown recipients, which further translates to whoever will take the bait. This ties back to the question in the first point, is there a legit reason for you to be receiving this mass send email? If not, it is a scam.
  6. Grammatical and spelling mistakes could be intentional by the scammers to dissuade the people who won’t eventually fall for the scam. If someone proceeds without spotting these mistakes would be their potential victims whom they can easily persuade. Sometimes these minor errors are made to make the email relatable or believable as humans are prone to errors. Should a legit job posting have such errors, especially coming from large organizations, wouldn’t it have been proofread?
  7. As is common with scams, they are always urgent. You need to urgently take action, as the people hiring are in urgent need. Such urgency is called upon so that victims don’t have time to think or question the legitimacy of the process. But you should always question yourself before being hasty, always allow yourself time to think before its too late.

Here’s hoping that the above questions would give you perspective on how to judge the legitimacy of job offers and easily spot job scams. If you replied to this scam, contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Job scam impersonating STMicroelectronics offering too good to be true with subject "STMicroelectronics Ltd Looking for representative in your area".

Subject: STMicroelectronics Ltd Looking for representative in your area
Sender: Robert Smith <****@spcc.edu.hk>

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Greetings,

Do you presently live in USA, CANADA or UK and would like to work part-timely from home? Then this is the opportunity you have been waiting for. Come join hundreds of our company representatives and you can earn $1000-$3000 weekly.

STMicroelectronics Ltd urgently requires reliable persons/companies who can act as RECEIVING OFFICERS for us from any of the above mentioned countries. He/she will act as a medium between our customers and us in their established area.

IMPORTANT NOTICE:

Please note that this service is based on part-time and will not affect your present job. Kindly reply with your full details as soon as you receive this notification.

Announcer,
Mr. Robert Smith
Human Resources Dept of STMicroelectonics Ltd
http:****

A view into a fake job scam

Scammers routinely attempt to target students with job scams, taking advantage of those trying to make ends meet or pay tuition and rent with a seemingly-attractive job offer.  In reality, the victim is asked to deposit a fake cheque and immediately send an e-transfer from their personal banking account.  Given the cheque is fake, the victim will see the deposit cancelled/reversed by the bank, and they will have lost their own personal funds.

Recently I had the opportunity to play the role of the victim using a persona configured for this purpose.  The following are some screenshots of SMS messages and emails that give insight into how the attacker works and how a victim might be fooled into giving up their hard-earned personal funds.

Note that some details have been redacted.  Also, do NOT try this yourself.  This is posted for educational purposes only.

A recent phishing attack included form fields for username, password, and cell phone number.  For this attack, a fake username and password were entered, as well as a temporary phone number from a SMS app.  A couple weeks after the data was entered into the form, I received a text at that temporary number.

 

The attacker tries to pivot off of @uvic.ca email so that the information security team can’t discover or block the fraudulent activity.  The use of SMS is also a common tactic for scammers to move the conversation off university infrastructure.  I had to quickly create a new Gmail address to engage with the scammer.

In my brand new Gmail account, I receive an email about the job offer.  “Mark” is careful to make sure I know why I won’t be interviewing in person (or by Zoom) just to make sure I won’t ask questions.  I carefully read the email, and then I respond with the requested information (plausible, but fake answers, knowing that Mark wouldn’t actually read them or care about them).

Date: January 19! , 2024
Hello Garry Zebaurelios
I would like to apologize about our unseemly approach if this interview conducting method is unprofessional to you or if you are new to all this, but we believe the world is always advancing and so it is important to stay on top of things as change is inevitable. This is going to be a chat interview as a result of the bulkiness and complexity of the messages and I believe you are ready for the job briefing.

Concerning the Personal Assistant Job that you have applied for. I am glad to congratulate you as your position has been confirmed. So sorry we couldn't meet up before you get started with work as I am presently away on a business trip in Australia  running some network programs. I will be back to the states in 3 weeks or less, but be rest assured that you can officially get started. As soon as I have arrived we can discuss more issues. I really need the helping hand on my daily schedules. Working remotely as Part time/Full time Personal Assistant.

NB : There will be no Interview till I'm back in person.

Duties and Responsibilities:
* Donations
* Schedule Meetings
* Booking Travels and Accommodations
* Perform Market Research Where Applicable
* Purchase Supplies

First Task: 
However, your first tasks for this week will be as follows. You will be booking a reservation for some of my guests for an upcoming event which is taking place next week. Further instructions as to how to make the reservations will be forwarded to you before the end of the week. However, the funds to book for the reservation plus your payment for your first task will be sent to you via a cashier's check. Any other task arising will be duly communicated to you also. So I'll need you to be on-time and prompt with your response to my mails.

* Firstly I would like you to attach a copy of your resume.
* Your Full Name that will be on the Check Payment(First and Last Name)
* Do you have an existing savings/checking account where you will deposit your check? (If YES What's the bank name)
* Reconfirm your present local address for mail delivery.
* What is your Mobile # that receives text messages?
* Do you know how to initiate a mobile deposit?
* What is your mobile daily deposit limit?

Kindly make sure you acknowledge this email as that will re-confirm your readiness and willingness to proceed. Make sure to constantly look at my email and will be on stand-by to receive future instructions. 

I will be expecting your prompt response to my email in order to attest to the receipt of my messages.

Thank you.
Regards mark begger

 

And there it is!  I’ve gone through the very difficult interview process and have now become Mark’s employee.  And I’m really looking forward to my 401k (a US financial instrument, even though I’m Canadian), multiple employment benefits, and a sign-on bonus!  All for $450 per week.  Time to quit my CISO job for the lucrative opportunity….

 

Of course, I have to be polite and let Mark know how excited I am.  I wonder if he knows how “schmincere” I really am.

 

I am soooooo ready for the first task as my boss’s new personal assistant.

 

 

Amazingly, Mark emails me instructions on how to do a mobile deposit for the fake cheque using two devices.  The support and instruction is superb for a new employee.

 

While I review the instructions, Mark pretends to have the bank endorse the cheque, so that I will be more comfortable doing the mobile deposit.  Knowing the bank has blessed it makes me feel so much better.  And of course, he gives me some great instructions on how to deposit, just so I get it right.  Maybe Mark has worked at a help desk before.

 

Here is where it get’s even more interesting.  Mark emails me an image of a cheque from Royal Bank (I had indicated in my job application that I banked at Royal Bank).

The cheque appears to be plausible, if not legitimate.  The transit numbers were validated using an online bank routing database, and matched the branch address information on the cheque.  The names and address of the people on the cheque seem to be real, or at least based on a real person, from what I could tell from a searches of Google and Google Maps.

For most people, this look like a legitimate cheque… except that it’s a picture of a cheque, not a paper one.  (Note that I’ve reported this to Royal Bank.)

 

Now that I have some interesting information from Mark, I wanted to play a little and see if he noticed I was on to the scam.  I don’t think he picked up on the confirmation number I received when I “deposited” the cheque.

 

Mark’s name shockingly didn’t match the names on the cheque, so of course I had to see what reason he would give for that…

 

Mark still hasn’t told me what kind of business he is in, so I ask him, and of course it doesn’t even match the kind of business mentioned on the fake cheque.  Clearly he doesn’t want to share lots of detail, and he has an urgent job to do.  He provides me the name and email address to which I need to send an e-transfer.  (I’ve reported this to Interac support for their awareness and action.)

 

We suspect this threat actor is possibly of Nigerian origin, based on some past activity.  I decided to see if Mark would get another hint that I knew it was a scam, by mentioning Black Axe, which is a notorious Nigerian crime organization.

 

Mark is too busy for small talk and personal chatter.  I dropped another hint for him.  Air Lords are another known Nigerian criminal organization.  Perhaps Mark isn’t familiar with them, or maybe he’s not really reading what I’m saying.

 

Earlier Mark had sent me the name and email address of the person to whom I was supposed to send the e-transfer.  I looked up the person’s name on social media, and came back with several results, with multiple profiles indicating they lived in a particular town in Nigeria (surprise!).  So, I used that town name as a confirmation code.  I wonder if Mark started to suspect something…

 

I think he’s on to me….

Mark and I eventually got tired of each other, and the conversation ended up dwindling after nearly 24 hours.

Hopefully this gives some insight into how someone could become a victim of such a scam and how the scammer tries to extract money from victims.