Omicron scam targets universities – infosecurity magazine


Dozens of universities are hit by a coordinated cyber attack that uses news of the Omicron variant as a decoy to steal login credentials.

Evidence of malicious phishing campaigns has been extracted from the dark depths of the cybercriminal underworld by researchers at cybersecurity firm Proofpoint.

The targeted universities are primarily based in North America and include the University of Central Missouri in Warrensburg, Missouri, and Vanderbilt University, a private research university in Nashville, Tennessee.

Researchers found that phishing emails typically focused on test information and the latest COVID-19 variants to be discovered. One of the subject lines of the email used by attackers was “Attention Required – Information Regarding the COVID-19 Omicron Variant – November 29”.

“Proofpoint observed COVID-19 themes impacting educational institutions throughout the pandemic, but consistent and targeted credential theft campaigns using such decoys targeting universities began in October 2021,” the researchers noted.

“Following the announcement of the new Omicron variant in late November, threat actors began to take advantage of the new variant in credential theft campaigns. “

Inside phishing emails are attachments or URLs of pages created to collect credentials for university accounts. While some campaigns feature generic Office 365 login portals, others include landing pages designed to mimic the target university’s official login portal.

To make their malicious emails harder to detect, malicious campaigners sometimes direct victims to legitimate academic communication after collecting credentials.

Campaigns that rely on malicious attachments exploited legitimate but compromised WordPress websites to host credential collection web pages including hfbcbiblestudy[.]org / demo1 / includes / jah /[university]/ auth[.]php and traveloaid[.]com / css / js /[university]/ auth[.]php.

In some campaigns, threat actors have spoofed multi-factor authentication (MFA) providers such as Duo to steal MFA credentials.

“MFA token theft allows the attacker to bypass the second layer of security designed to prevent malicious actors who already know a victim’s username and password,” the researchers wrote.

Recipients of malicious emails may not be able to tell that they are being targeted by cybercriminals just by looking at the sender’s address.

The researchers wrote: “While many messages are sent via spoofed senders, Proofpoint has observed threat actors leveraging legitimate and compromised university accounts to send COVID-19 themed threats. ”


About Author

Comments are closed.