Be on the alert for the OneClass Chrome Extension Malware and Phishing scam. UBC Cybersecurity has determined that the OneClass Chrome Extension is malware and that there is significant risk to students’ personal information if they have installed this software. Once the extension is installed, it may attempt to send an email on your behalf and attempt to steal your Campus-Wide Login (CWL) credentials, as well as any other logins and passwords that were entered on any website while using Chrome.

Please note that remediation instructions are provided further below in this bulletin for any UBC students who may have installed the OneClass Chrome Extension on their computer(s). UBC has no affiliation with OneClass nor does it allow the use of this software under Policy #104 Acceptable Use and Security of UBC Electronic Information and Systems (hyperlink: http://www.universitycounsel.ubc.ca/policies/policy104.pdf).

If you receive this phishing email in your Canvas Inbox or via email, do not install the extension or click on any links in the Canvas message or the email copy. Please delete the Canvas message and the corresponding email notification.

An example copy of the phishing email is below:

—

“Hey guys & girls!

Just wanted to let everyone know that you can find study guides and notes for your courses here! Thought I’d share 🙂

<URL removed>

Good luck studying!“

—

How the phishing works:

Students will receive communication that includes a link to install the OneClass Chrome Extension. During the installation, the user may be prompted to grant permission to allow this extension to “Read and change all your data on the websites you visit.”

The extension may also attempt to send an email to everyone in the user’s class to promote the OneClass website. The extension may contain code that will attempt to collect user login credentials.

How do I find out if I’ve installed the OneClass Chrome Extension and how do I remove it?

Please follow the steps below to check for the extension in Chrome and to remove the extension if it is installed:

Open up your Chrome Browser Select the 3 vertical dots in the top right-hand corner Select Settings or type chrome://extensions/ in the URL bar Select Extensions in the top left-hand corner Click the Trashcan beside the “OneClass Easy Invite” extension Select Remove on the Confirm Removal popup Close all Chrome windows and go back to the Extensions page to verify the extension has been removed (Steps 1-4)

Once you have removed this extension, please go to myaccount.ubc.ca to reset your CWL password. Reset all passwords for any other sites that you visited while using Chrome with the OneClass Extension installed.

A brief history of this phishing scam:

On September 12, 2018, the LT Hub was notified about suspicious OneClass messages being circulated via the Canvas conversations tool.

Our Canvas vendor, Instructure, is aware of this malicious extension and has reported that other institutions have also been impacted.

In November and December 2016, a previous version of the OneClass plugin was used to circulate emails through Connect. UBC Cybersecurity determined that those versions of the OneClass Chrome Extension had code that would collect login credentials to any website visited while using Chrome and send this information to offsite servers with malicious intent. These credentials include CWL username and password, as well as any other credentials for other websites that were visited using Chrome (e.g., bank and email accounts). There is a significant risk for identity theft if the OneClass Chrome Extension is not uninstalled and affected passwords are not immediately changed.

If you have any questions, please contact Cybersecurity via the IT Service Desk at 604.822.2008 or email security@ubc.ca

References:

https://its.inside.tru.ca/2016/12/14/phishing-alert-oneclass-chrome-extension/

https://main.its.utoronto.ca/news/oneclass-easy-invite-advisory/

https://edukan.org/2017/01/malware-alert-one-class-chrome-extension/