Two large phishing attacks hit U of T in June

A large University of Toronto department became the victim of a sophisticated phishing attack on June 4 in which the scammer supposedly impersonated the department chair and asked students to buy and scan pre-scratched iTunes gift cards.

The attack was sophisticated enough that the targets were not able to detect it, as it didn’t have the mistakes or inconsistencies of a typical phishing email.

Just over two weeks later, another large phishing attack was carried out on university employees, this one described by U of T’s Information Technology Services website as “malicious.”

In broken English, the attacker said that he had gained access to the victims’ webcams and had recorded videos of them watching pornographic material. He threatened to release the footage if the victims refused to pay him in Bitcoin.

U of T declined to provide further information on the attack, although Mike Wiseman, Acting Director of Information Security, told The Varsity that the attackers “were trying to obtain money by fraudulent means.” The university would not divulge how many people were involved, whether anyone had lost money or gave out sensitive information, or what direct action the school was taking in response.

“With phishing, the attacker will have motives to get something out of the phishing attack,” said Wiseman.“[They] may be looking for login credentials, they may be looking for a way to collect money, and in this case they were trying to do the latter.”

U of T has set up a website in order for students to be more informed about data safety and phishing attacks. Security Matters keeps a list of reported attacks on record, allows students to report on incidents, and has a calendar of events around the importance of data safety.  

Wiseman advises students to be cautious when clicking on links or giving up personal information online.

“Try to take some action in your mind before doing things like clicking these links or attachments, in order to validate what you are about to do,” he said. “I would say if you can’t validate, if you feel uncomfortable, if you feel concerned about what you’re looking at, then don’t do anything, don’t click the link, don’t take the action that the message is trying to get you to do.”