Study: Credential Thieves Targeting Universities Using COVID Themes, Sophisticated Spoof Sites

phishing

Cybersecurity experts at Proofpoint have identified a dramatic increase in phishing attacks targeting mostly North American universities, many of which leverage COVID-19 themes including testing information and the new Omicron variant.

In a Dec. 7 blog post, Proofpoint explained that credential-theft campaigns targeting universities and exploiting COVID-19 themes have ramped up consistently since October 2021. Following the announcement of the new Omicron variant in late November, the threat actors began leveraging the new variant in their attacks, Proofpoint researchers noted.

The threats targeting universities are interesting due to their specificity as well as their effort to mimic universities' legitimate login portals, the cybersecurity firm noted. "It is likely this activity will increase in the next two months as colleges and universities provide and require testing for students, faculty and other workers traveling to and from campus during and after the holiday season, and as the Omicron variant emerges more widely," the researchers said.

Proofpoint expects more threat actors will adopt COVID-19 themes given the introduction of the Omicron variant, based on previously published research that identified COVID-19 themes making a resurgence in e-mail campaigns following the emergence of the Delta variant in August 2021.

Campaign Details

Thousands of messages targeting dozens of U.S. universities have referenced the Omicron variant and COVID themes in recent weeks, according to Proofpoint.

The phishing e-mails contain attachments or URLs for pages intended to harvest credentials for university accounts. The landing pages typically imitate the university's official login portal, although some campaigns feature generic Office 365 login portals, the researchers noted.

In some cases, such as the Omicron variant lures, victims are redirected to a legitimate university communication after credentials are harvested. Proofpoint observed that these credential-theft attempts have already pivoted from Delta variant themes to Omicron themes since the announcement of the new variant just a few weeks ago.

E-mails with URLs use subjects lines such as "Attention Required - Information Regarding COVID-19 Omicron Variant - November 29," with a link to a spoofed landing page such as the example pictured below.

Spoofed login page for the University of Central Missouri

Spoofed login page for the University of Central Missouri

Messages distributing attachments included subject lines such as "Covid Test."

HTM attachment leading to a credential capture webpage

HTM attachment leading to a credential capture webpage

The attachments led to a university themed e-mail credential theft webpage.

Credential theft webpage spoofing Vanderbilt University

Credential theft webpage spoofing Vanderbilt University

In addition to multiple delivery methods of these ongoing threat attempts — Proofpoint has observed both URLs and attachments in campaigns — activity clusters use different sender and hosting methods to distribute credential-theft campaigns.

In the Omicron variant campaign, threat actors have leveraged actor-controlled infrastructure to host credential theft webpages using similar domain naming patterns. These include:

  • sso[.]ucmo[.]edu[.]boring[.]cf/Covid19/authenticationedpoint.html
  • sso2[.]astate[.]edu[.]boring[.]cf/login/authenticationedpoint.html

Attachment-based campaigns have leveraged legitimate but compromised WordPress websites to host credential capture webpages, including:

  • hfbcbiblestudy[.]org/demo1/includes/jah/[university]/auth[.]php
  • afr-tours[.]co[.]za/includes/css/js/edu/web/etc/login[.]php
  • traveloaid[.]com/css/js/[university]/auth[.]php

In some campaigns, threat actors attempted to steal multi-factor authentication credentials, spoofing MFA providers such as Duo. Stealing MFA tokens enables the attacker to bypass the second layer of security designed to keep out threat actors who already know a victim's username and password.
  
To read more about ongoing cybersecurity threats, visit Proofpoint's blog.

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured

  • AI-inspired background pattern with geometric shapes and fine lines in muted blue and gray on a dark background

    IBM Releases Granite 3.0 Family of Advanced AI Models

    IBM has introduced its most advanced family of AI models to date, Granite 3.0, at its annual TechXchange event. The new models were developed to provide a combination of performance, flexibility, and autonomy that outperforms or matches similarly sized models from leading providers on a range of benchmarks.

  • An abstract depiction of a virtual reality science class featuring two silhouetted figures wearing VR headsets

    University of Nevada Las Vegas to Build VR Learning Hub for STEM Courses

    A new immersive learning center at the University of Nevada, Las Vegas is tapping into the power of virtual reality to support STEM engagement and student success. The institution has partnered with Dreamscape Learn on the initiative, which will incorporate the company's interactive VR platform into introductory STEM courses.

  • futuristic crystal ball with holographic data projections

    Call for Opinions: 2025 Predictions for Higher Ed IT

    How will the technology landscape in higher education change in the coming year? We're inviting our readership to weigh in with their predictions, wishes, or worries for 2025.

  • abstract pattern of interlocking circuits, hexagons, and neural network shapes

    Anthropic Announces Cautious Support for New California AI Regulation Legislation

    Anthropic has announced its support for an amended version of California’s Senate Bill 1047 (SB 1047), the "Safe and Secure Innovation for Frontier Artificial Intelligence Models Act," because of revisions to the bill the company helped to influence, but not without some reservations.