Security researchers at Proofpoint have discovered an Omicron variant-themed phishing campaign targeting North American universities. The phishing emails aim to steal university login credentials. Though the purpose of that is currently unknown. The phishing emails target students of Vanderbilt University, the University of Central Missouri, and other North American universities.
This is certainly not the first time malicious actors have used people’s anxiety over the ongoing pandemic to their own advantage. There have been numerous campaigns in the past. As soon as the pandemic began, coronavirus-themed malicious campaigns began. The campaigns usually change depending on the situation. When the vaccines started becoming available, malicious email campaigns invited people to register for their shots. And now that the new Omicron variant is spreading, malicious actors have adapted their campaigns to mention Omicron.
This particular phishing email campaign either asks students to click on a link or open an attachment. According to Proofpoint, the subject lines of these email campaigns are usually some form of “Attention Required – Information Regarding COVID-19 Omicron Variant – November 29”. While most COVID-19 themed phishing campaigns are sent from email addresses that are merely made to look similar to legitimate ones, Proofpoint has said that malicious actors also use legitimate, compromised university accounts.
“While many messages are sent via spoofed senders, Proofpoint has observed threat actors leveraging legitimate, compromised university accounts to send COVID-19 themed threats. It is likely the threat actors are stealing credentials from universities and using compromised mailboxes to send the same threats to other universities,” Proofpoint has said.
If users click on the links, they would either be taken to sites that closely resemble legitimate university log-in pages or generic Office 365 ones. The fake university sites may look almost identical to the legitimate ones, which indicates that at least some effort has been put into these phishing campaigns. It may be enough to trick less attentive users. However, those who pay attention to details or are more familiar with phishing attempts should notice that the URL of the site they’re led to does not match their university’s URL. A site’s address is usually the biggest giveaway when it comes to phishing campaigns.
To prevent users from realizing what’s going on, as soon as users type in their login credentials and press “Sign In”, they would be redirected to their university’s legitimate website. Because needing to log in multiple times actually happens from time to time, many users may not think twice about needing to type their login credentials again. But as soon as the credentials are typed in on the phishing website, they are immediately transferred to the cybercriminals operating this phishing campaign. Proofpoint noted that this campaign is not attributed to any known cybercrime group. The objective of this campaign is also currently unknown. Proofpoint also believes these campaigns will increase in numbers in the following months.
“It is likely this activity will increase in the next two months as colleges and universities provide and require testing for students, faculty, and other workers traveling to and from campus during and after the holiday season, and as the Omicron variant emerges more widely,” Proofpoint has warned.