"Library Notice" Phishing Advisory
Description
This attack sends low-volume, highly-targeted, socially engineered emails that eventually trick students into handing over their login credentials.
Such highly tailored messages have been delivered to students at the University of Regina. These messages persuade users to login to their library accounts, and appear as follows:
Sent to: uregina.ca Student Email Address
Sent from: uregina@hku.hk (or similar address attempting to appear as an actual uregina.ca address, but is from an external source). Email Subject: Library Notice Dear Student, This is an automatically generated email from IT Services, University of Regina. IT Standard for Computer Passwords and System Access Controls state that an appropriate library access renewal process is implemented at University of Regina. Our records indicate that your library enrollment is set to expire on December 30, 2019 12:00. For security reasons, please click the URL link below to update your library enrollment: URegina Library (Link to a look-a-like login page) If you have not renewed your library enrollment by the date mentioned above, your access to the library and its associated services will expire. If you have any questions arising from this message, please contact the Library Helpdesk. For a list of the current library online services, please visit: https://www.uregina.ca/library/services/index.html Yours sincerely, |
If a student clicks on the email address, they will be taken to a fraudulent phishing portal, which will appear similar to the library login page. However, this login portal will capture any usernames and passwords entered and use them maliciously.
The login page will appear as follows, but note that this is not on a uregina.ca domain, rather, a domain attempting to trick users into thinking it is a uregina.ca page. In this case, the fake login page is hosted on tyll.cf:
Impact
- Students may receive an unsolicited e-mail appearing to be the University of Regina. A typical phishing e-mail will give you a phoney reason, such as a expiring account, to trick you into providing your personal information.
- The e-mail will often include a reason that urges you to reply with confidential information or click on a link that takes you to a fake website.
- That fake website will look authentic by copying the appearance and logo of the real organization such as the University of Regina.
- This phoney site will ask you for personal information such as library account numbers, names, usernames, or passwords.
- Users are tricked to beleive they are giving your information to the University of Regina, instead it is provided it to a fraudster!
Any information provided, such as library card numbers or passwords, the account can be considered compromised and will require remediation, such as password changes.
Resolution
If in doubt regarding the contents of a email message or login webpage, contact the Information Technology Support Centre to help you evaluate the legitimacy of such questionable content.
If you discover a fraudulent looking message or website, report it to the Information Technology Support Centre. Sharing such messages allows us to block them from reaching other targets.
If you believe you may have provided confidential information in response to a phishing e-mail, contact Information Technology Support Centre immediately.
Guidelines:
- Never provide information over the Internet in response to unsolicited e-mails.
- Play it safe! If you’re not sure of the source of an e-mail or if it looks suspicious, don’t open it.
- Be cautious! Even if you a sender's e-mail address appears to contain uregina, do not rely on that alone because addresses may be from another domain or may be spoofed.
- Pay attention to the contents of the e-mail and be careful of any embedded links.
- Never click on a link in an e-mail that you suspect may be fake.
- Be sure! If you are unsure whether you are on a legitimate website, reopen your internet browser and type the known good URL, such as www.uregina.ca, in the address bar yourself. Always verify that this is a valid uregina.ca domain - this can be done by browsing to the University’s website directly.
- Be alert! Just because an e-mail or website appears to be legitimate doesn't mean it is. Phishing schemes are designed to look real to trick users into divulging personal information for the purpose of financial fraud or identity theft.
Resources
External Resources:
This attack has targeted many institutions:
- Library-Themed University Phishing Attack Expands to Massive Scale: https://threatpost.com/library-themed-university-phish-expands/148288/
- Back-to-School Scams Target Students with Library-Themed Emails: https://threatpost.com/back-to-school-scams-students-library-emails/148077/
- COBALT DICKENS Goes Back to School…Again: https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again
Internal Resources:
University of Regina Phishing Guidelines: https://www.uregina.ca/is/security/resources/resource-phishing.html
Free Online Information Security Awareness Training for Students, Staff, or Faculty: https://www.uregina.ca/is/security/security-awareness-training.html
If you are unsure if an email is fraudulent or would like to report a phishing attempt to your @uregina.ca email account, please contact the IT Support Centre:- Email: IT.Support@uregina.ca
- Phone: 306-585-4685
- Toll-free in Canada: 1-844-585-4685
- In person at ED 137 or Archer Library