"Library Notice" Phishing Advisory

Threat Level: Medium
Threat Type: Credential Phishing
Advisory Date: 07/13/2023

Description

Silent Librarian/Colbalt Dickens attacks are targeting university students in full force with a revamped phishing campaign. The threat group, aiming to steal student login credentials, is using new tricks that bring more credibility to its phishing emails and helping it avoid detection.  This advisory is aimed at assisting targeted uses be aware of and recognize such an attack.

This attack sends low-volume, highly-targeted, socially engineered emails that eventually trick students into handing over their login credentials.

Such highly tailored messages have been delivered to students at the University of Regina.  These messages persuade users to login to their library accounts, and appear as follows:

Sent to: uregina.ca Student Email Address

Sent from: uregina@hku.hk (or similar address attempting to appear as an actual uregina.ca address, but is from an external source).

Email Subject: Library Notice

Dear Student,

This is an automatically generated email from IT Services, University of Regina. IT Standard for Computer Passwords and System Access Controls state that an appropriate library access renewal process is implemented at University of Regina. Our records indicate that your library enrollment is set to expire on December 30, 2019 12:00. For security reasons, please click the URL link below to update your library enrollment:

URegina Library (Link to a look-a-like login page)

If you have not renewed your library enrollment by the date mentioned above, your access to the library and its associated services will expire. If you have any questions arising from this message, please contact the Library Helpdesk. For a list of the current library online services, please visit:

https://www.uregina.ca/library/services/index.html

Yours sincerely,
University of Regina Library
University Drive North, 
3737 Wascana Pkwy, 
Regina, SK S4S 0A2,
Canada
libraries@uregina.ca

 

If a student clicks on the email address, they will be taken to a fraudulent phishing portal, which will appear similar to the library login page.  However, this login portal will capture any usernames and passwords entered and use them maliciously.

The login page will appear as follows, but note that this is not on a uregina.ca domain, rather, a domain attempting to trick users into thinking it is a uregina.ca page.  In this case, the fake login page is hosted on tyll.cf:

Impact

  • Students may receive an unsolicited e-mail appearing to be the University of Regina. A typical phishing e-mail will give you a phoney reason, such as a expiring account, to trick you into providing your personal information.
  • The e-mail will often include a reason that urges you to reply with confidential information or click on a link that takes you to a fake website.
  • That fake website will look authentic by copying the appearance and logo of the real organization such as the University of Regina.
  • This phoney site will ask you for personal information such as library account numbers, names, usernames, or passwords.
  • Users are tricked to beleive they are giving your information to the University of Regina, instead it is provided it to a fraudster!

Any information provided, such as library card numbers or passwords, the account can be considered compromised and will require remediation, such as password changes.

Resolution

If in doubt regarding the contents of a email message or login webpage, contact the Information Technology Support Centre to help you evaluate the legitimacy of such questionable content. 

If you discover a fraudulent looking message or website, report it to the Information Technology Support Centre.  Sharing such messages allows us to block them from reaching other targets.

If you believe you may have provided confidential information in response to a phishing e-mail, contact Information Technology Support Centre immediately. 

Guidelines:

  • Never provide information over the Internet in response to unsolicited e-mails.
  • Play it safe! If you’re not sure of the source of an e-mail or if it looks suspicious, don’t open it.
  • Be cautious! Even if you a sender's e-mail address appears to contain uregina, do not rely on that alone because addresses may be from another domain or may be spoofed.
  • Pay attention to the contents of the e-mail and be careful of any embedded links.
  • Never click on a link in an e-mail that you suspect may be fake.
  • Be sure! If you are unsure whether you are on a legitimate website, reopen your internet browser and type the known good URL, such as www.uregina.ca, in the address bar yourself.  Always verify that this is a valid uregina.ca domain - this can be done by browsing to the University’s website directly.
  • Be alert! Just because an e-mail or website appears to be legitimate doesn't mean it is. Phishing schemes are designed to look real to trick users into divulging personal information for the purpose of financial fraud or identity theft.

Resources

External Resources:

This attack has targeted many institutions:

Internal Resources:

University of Regina Phishing Guidelines: https://www.uregina.ca/is/security/resources/resource-phishing.html

Free Online Information Security Awareness Training for Students, Staff, or Faculty: https://www.uregina.ca/is/security/security-awareness-training.html

If you are unsure if an email is fraudulent or would like to report a phishing attempt to your @uregina.ca email account, please contact the IT Support Centre: