Dozens of universities are currently being hit with a coordinated cyber-attack that works by using information of the Omicron variant as a lure to steal login credentials.
Evidence of the destructive phishing campaigns was dredged up from the murky depths of the cyber-felony underworld by scientists at the cybersecurity firm Proofpoint.
The universities targeted are generally based in North The united states and consist of the University of Central Missouri in Warrensburg, Missouri, and Vanderbilt University, a non-public study university in Nashville, Tennessee.
Researchers found the phishing emails to be commonly themed about tests facts and the latest in the line of COVID-19 variants to be discovered. One particular email matter line utilised by the attackers was “Attention Needed – Info Concerning COVID-19 Omicron Variant – November 29.”
“Proofpoint noticed COVID-19 themes impacting instruction establishments through the pandemic, but consistent, targeted credential theft campaigns making use of these kinds of lures concentrating on universities started in Oct 2021,” observed researchers.
“Adhering to the announcement of the new Omicron variant in late November, the menace actors commenced leveraging the new variant in credential theft strategies.”
Within the phishing e-mails are attachments or URLs for internet pages developed to harvest credentials for college accounts. While some campaigns function generic Office environment 365 login portals, other folks contain landing webpages made to mimic the formal login portal of the focused university.
To make their malicious e-mail tougher to detect, danger actors powering the strategies sometimes direct victims to a legitimate university interaction immediately after harvesting the qualifications.
Strategies that rely on malicious attachments have leveraged respectable but compromised WordPress websites to host credential-gathering web internet pages, including hfbcbiblestudy[.]org/demo1/involves/jah/[university]/auth[.]php and traveloaid[.]com/css/js/[university]/auth[.]php.
In some campaigns, menace actors spoofed multi-factor authentication (MFA) suppliers these types of as Duo to steal MFA credentials.
“Stealing MFA tokens permits the attacker to bypass the next layer of security designed to keep out threat actors who already know a victim’s username and password,” wrote scientists.
Recipients of the malicious e-mail might not be equipped to notify they are becoming focused by cyber-criminals only by on the lookout at the sender’s handle.
Scientists wrote: “Though several messages are sent via spoofed senders, Proofpoint has observed danger actors leveraging genuine, compromised college accounts to send out COVID-19 themed threats.”
Some sections of this report are sourced from: