Returning to campus: Information, updates and vaccination requirements. Learn more.

Phish Alert - 'E-mail Notification'

Threat Level: Medium
Threat Type: Phishing
Advisory Date: 07/04/2019

Description

Recently, many uregina.ca email addresses were targeted with a phishing email.

The email appeared as follows:

The link in the email lead to an external phishing portal, which is designed to look like a webmail login. Any credentials entered into this portal were at risk of credential theft.

Impact

There are several ways to identify that this email is not legitimate.

1)  The link provided in the email does not go to a URL starting in https://www.uregina.ca.  The link in the message goes to a external website, which is not related to the University.  This can be determined by hovering over the link with your mouse cursor to reveal the destination of the link.

mouse over

In this case, this external domain (as circled in red) is clearly unreleated to the University as it does not appear at a valid University domain/URL.

2) The email appears to come from the address "noreply@uregina.ca".  This address is spoofed, as it does not originate from a valid uregina.ca address.  This can be determined by looking at the email header, which provides additional details about the message.  

To view the header, click on "Message Source" in Groupwise (as circled in blue, below).  Within other email programs, headers can be viewed as an option such as "View Headers" or similar.  

fullheader

Note that the return path does not equal the sender, or a University of Regina domain (uregina.ca) address.  This lack of alignment between the the sender name (noreply@uregina.ca) and the return-path name (apache@24broker.ro) is a strong indicator that this message is not from who it reports to be.

There are multiple other indicators that users should be aware that shows this is a scam message:

  • The message uses poor grammar and capital letters throughought.
  • The phishing page hosted at the link contains poor grammar, advertisements, and requests information such as domain which is not required for a legitimate password reset.
  • University of Regina Information Services will never ask you to provide your password in email like this in order to restore access to any affected service.
  • There is language in the email requestion immediate action.

Resolution

If you received this message, please delete it immediately if you have not already done so. If you inadvertently clicked a link and entered your credentials, please change your password right away to a new, unique password.  If this the exposed password is reused on other accounts, it is important that these account credentials also be updated.  Any credentials entered into the phishing portal can be considered breached. 

  • Go to the Information Services homepage at http://www.uregina.ca/is and click "Change Password" in the Quicklinks on the right side.
  • Additionally, if malware protection is not installed, up to date/current, or is not running, it is recommended that you ensure a malware scan has been completed

Resources

More phishing related information such as "How can I tell if the message is real?"  and "What should I do if I suspect email phisihing?" can be found at the Phishing Infomormation resources page.

If your receive a message that you are unable to determine the legitimatacy of, please contact the IT Support Centre:

In person at ED 137 or Archer Library Main Floor Commons

In person at ED 137 or Archer Library Main Floor Commons