Today’s phishing attack takes the form of an invoice apparently sent by a “colleague”. Because this comes from a “Doctor” and the e-mail message tone is not formally worded, it can often be misconstrued as legitimate and can be trusted.

This is a common phishing scam. The attachment is a fake invoice that, when opened, will infect your computer with malware, which gives the criminals access to your personal information, but primarily to steal online banking details.

Some departments within the university are particularly vulnerable because they may receive invoices regularly from a number of sources.

The email may appear as if it was sent by a well-known supplier or other trusted source. (in this case a so-called “Doctor” with a uniquely South African surname) Often the email address of a legitimate supplier or a colleague or friend will be mimicked or “spoofed” in a bid to trick you into thinking the invoice is genuine.

The attached invoice will look like a standard document or spreadsheet, however, to view the file you must enable a “macro”, which is a set of pre-programmed instructions for a computer. This macro installs the malware, which can infect the university network.

In the case below, you are directed to a website which tries to open up an infected “Word” document that records your online banking details, along with other financial information, before sending it on to the criminals who then attempt to steal money from your accounts.

—–Original Message—–

From: Cornelissen

Sent: 18 September 2017 03:56 PM

To: University Address <Your e-mail address>

Subject: Invoice #66633 (This number random and will change)

Hello,

I’ve tried to call you but couldn’t get thought. Need to know the status of this invoice I’ve sent to you a while ago. provided a copy below.

Invoice #66633:

Phishing site address

(Your name will go here)

Kind Regards,

Cornelissen, LM, Dr

Here are some handy tips to detect and deal with this “fake invoice” phishing scam.

• Be on the lookout for unexpected invoices or unusual payment requests.
• Avoid enabling any macros on an untrusted document.
• If you’re suspicious – don’t reply to the email but instead call your supplier on the number that you have on file to check the authenticity of the invoice.
• Ensure you have the latest anti-virus and security updates installed on your computer and consider using high-level macro security settings in software applications.
• Ensure strong firewalls are in place to help detect malware and prevent data leaving the network without permission.
• Consider using a separate computer dedicated to making online payments to minimise security risks, especially if you use personal Facebook or other social media sites.

[ARTICLE BY DAVID WILES]

A phishing attack on Stellenbosch University via an internal sun email address was launched again early this morning. See the example below with dangerous links removed.

Unfortunately, this email used our own template to lure you into trusting it. Take note that we will never ask you to update your information in this way.

Please do not click on this email, do not fill in your personal information and delete the email immediately. If you follow the link and supply your information, it will be used by phishing criminals to gain access to your personal information, including your bank details.

If you have any inquiries, please let us know by logging a request on ServiceNow or calling our Service Desk at 808 4367. For more information on this and other phishing attacks, refer to our blog and Twitter account.

The university is in the middle of a serious spear-phishing attack and is the direct target of a group of criminals who have registered and set up a South African website to fool university users into providing their e-mail addresses, usernames and passwords. 

Undoubtedly the same criminal cartel is now using e-mail accounts that were compromised in the last attack. (This time a senior lecturer at Stellenbosch Campus) The registered a South African domain name and have disguised the website to look like the university’s WebMail Login page.

Spear phishing is an email-spoofing attack that targets a specific organization or individual like the university and is not typically initiated by random hackers, but by perpetrators out for financial gain. As with emails used in regular phishing expeditions, spear-phishing messages appear to come from a trusted source. This case a sun.ac.za address. The apparent source of the email is likely to be an individual within the recipient’s own company — generally, someone in a position of authority — or from someone the target knows personally, thus its potential danger.

It is important that you do NOT click on any of the included links in the mail or enter your username or password. You should never do this at any time, as Information Technology would never ask you to do so!

Just because the mail looks legitimate and the web page *looks* like it is genuine, does not make it so.

If you have received mail that looks like this please immediately report it to the Information Technology Security Team using the following method:

Send the spam/phishing mail to help@sun.ac.za

If you did click on the link of this phishing spam and unwittingly give the scammers your username, e-mail address and password you should immediately go to http://www.sun.ac.za/useradm and change the passwords on ALL your university accounts (making sure the new password is completely different, and is a strong password that will not be easily guessed.) as well as changing the passwords on your social media and private email accounts (especially if you use the same passwords on these accounts.)

Please be careful out there. These criminals are now targeting the university, no doubt based on their past successes. Keep alert and on the lookout.

[Article by David Wiles]

A phishing attack on Stellenbosch University via an internal sun email address was launched this morning. See the example below. (links have been removed)

Please do not click on this email, do not fill in your personal information and delete the email immediately. If follow the link and supply your information, it will be used by phishing criminals to gain access to your bank details. See the example below.

If you have any inquiries, please let us know by logging a request on ServiceNow or calling our Service Desk at 808 4367. For more information on this and other phishing attacks, refer to our blog and Twitter account.

From:SU staff member <fakesustaffaddress@sun.ac.za>
Sent: Monday, 07 August 2017 07:24
Subject: IT HelpDesk With the strengthening off our security system and improving your mailing experience, We have detected your mail settings are out of date. To enhance computer system security and comply with federal audit requirements, ITS requires all Sever Users to update their account , kindly click ITS to update your account to the latest Outlook Web App. Sign in and automatically update your mailbox by filling out the requirements correctly.

With the strengthening off our security system and improving your mailing experience, We have detected your mail settings are out of date. To enhance computer system security and comply with federal audit requirements, ITS requires all Sever Users to update their account , kindly click ITS to update your account to the latest Outlook Web App. Sign in and automatically update your mailbox by filling out the requirements correctly.
___________________
Thanks
Sincerely,
ITS Service Desk
Click Here To Upadate with your correct Login Details.