According to research by Proofpoint, a new phishing attack is taking place where attackers are leveraging fear over the spread of the new COVID-19 strain, Omicron, to steal login credentials of accounts at several North American universities.
Proofpoint researchers said that the phishing attacks began in October, but they witnessed a sharp increase in November. The emails sent by attackers contain general information about the new COVID-19 variant Omicron and information about testing.
Cybercriminals have been using the concern about COVID-19 luring targets with phishing scams since January 2020.
Phishing Campain Details
In this COVID-19 theme campaign, attackers have targeted various North American universities. The students and faculty receive a phishing email that contains URLs and attachments that harvest login credentials when clicked upon. The landing pages imitate the university’s login portal. In most cases, attackers redirect users to a legitimate university portal page, after which the credentials are harvested.
Such emails are usually subjected as:
Attention Required – Information Regarding COVID-19 Omicron Variant
The email also contains a link to the university login page
Some students have also received emails with COVID-19 test attachments as well. The attachment leads to the university login page, where the credentials are stolen.
According to Proofpoint, threat clusters use different methods to distribute these campaigns. In this Omicron COVID-19 variant campaign, attackers are using actor-controlled infrastructure to host fake credential theft university websites using similar domain names. These include:
sso[.]ucmo[.]edu[.]boring[.]cf/Covid19/authenticationedpoint.html
sso2[.]astate[.]edu[.]boring[.]cf/login/authenticationedpoint.html
Similarly, attachment-based Omicron campaigns use compromised WordPress sites to capture credentials. These include:
hfbcbiblestudy[.]org/demo1/includes/jah/[university]/auth[.]PHP
afr-tours[.]co[.]za/includes/css/js/edu/web/etc/login[.]PHP
traveloaid[.]com/css/js/[university]/auth[.]php
In some campaigns, attackers have also attempted to steal multi-factor authentication passwords, pretending to be Duo. Stealing MFA codes would enable the attackers to bypass the second layer of security.
[–]hennaojichan 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 0 fun4 insightful - 1 fun - (0 children)
[–]chadwickofwv 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 0 fun2 insightful - 1 fun - (0 children)