Researchers at Proofpoint have discovered an uptick in email threats aimed mostly at North American institutions and aiming to steal university login credentials. COVID-19 themes, such as testing data and the new Omicron variant, are frequently used by threats. Proofpoint observed COVID-19 themes affecting educational institutions throughout the pandemic, but persistent, targeted credential theft attacks against universities began in October 2021. Following the disclosure of the new Omicron variant in late November, threat actors began using it in credential theft campaigns.
According to Brett Callow, a threat analyst with the cybersecurity firm Emsisoft, fraudsters frequently use news events to dupe their victims. “If there’s a significant event, be it a pandemic or a Super Bowl, it will be used as bait for phishing,” Callow said.
According to Selena Larson, a senior threat intelligence analyst at Proofpoint and co-author of the blog post, the wave of phishing assaults mentioning the Delta, and now the Omicron, variations was extremely specific in its targeting of universities. She projected that the attacks will rise in the coming two months as colleges conduct more campus testing in response to both holiday travel and the emergence of the Omicron variation.
The phishing emails utilized in these attacks contain either malicious attachments or URLs to pages designed to capture university account credentials. Although Proofpoint has identified several campaigns that use generic Office 365 login gateways, these counterfeit landing pages often replicate a university's official login portal. The threat actors behind some of these campaigns attempted to steal multifactor authentication (MFA) credentials by impersonating MFA providers such as Duo. An attacker can circumvent the second layer of security designed to keep out threat actors who already have access to a victim's credentials by stealing MFA tokens.
Although a majority of the mails in these campaigns are transmitted through spoofed senders, Proofpoint has also detected threat actors using actual, compromised university accounts to send Covid-19 related threats. Attackers are most likely stealing credentials from colleges and sending the same threats to other universities via compromised mails.
To avoid becoming a victim of these or other email-based threats, university students should carefully check the email addresses of messages they receive, avoid clicking on any links in suspicious emails, and refrain from logging into their school's online portal after clicking on links in emails that appear to have originated from their university or college, said the researchers.
