Posted on December 8, 2021 at 1:53 PM
Cybersecurity firm Proofpoint has revealed that threat actors are taking advantage of the fears surrounding the Omicron virus strain to attack US universities.
According to researchers at the firm, hackers are using phishing emails to try and steal credentials from people at U.S. universities. The threat actors are sending these phishing emails that invoke the newly identified strain of virus that cause COVID-19.
The phishing emails have been sent to dozens of universities in the U.S
The World Health Organization (WHO) has already identified a new strain of the virus as a “variant of concern”. It has already been detected, albeit in small numbers, in several dozen countries, including the United States.
The emails are tagged with “covid-19 test”
Proofpoint stated that the emails have already been sent to several universities in the U.S., but it has confirmed two: the University of Central Missouri and Vanderbilt University.
The phishing emails usually contain information about the new Omicron variant and COVID-19 testing.
The emails are tagged with “COVID-19 test” while others generally come with the subject lines like “Attention Required – Information Regarding COVID-19 Omicron Variant”. They are sent to deceive victims into giving to their requests for personal information.
Since the COVID-19 pandemic began in December 2019, threat actors have used concern about the virus as a phishing lure. Their activities somehow slowed a bit after pharmaceutical companies started manufacturing vaccines for the virus.
However, the newly discovered Omicron variant has drawn more interest from the bad actors, as they seek to take the advantage of the fear of the variant to gain access to users’ systems.
Some use legitimate-looking university pages while others imitate generic Officer 365 login credentials to deceive their victims.
Proofpoint researchers stated that the activities of these threat actors could increase in the next few months as universities and colleges require students to carry out tests.
“We expect more threat actors will adopt COVID-19 themes given the introduction of the Omicron variant,” Proofpoint noted.
Proofpoint added that in some cases, the emails redirected potential victims to the main websites of their university after their credentials are stolen.
According to security researchers, threat actors have already sent thousands of emails containing malicious files to the victims. Some of the mails have URLs linking to malicious websites that steal credentials while others come with the malicious files attached to the mail. Once the user clicks on the malicious file, their systems are automatically affected.
In other instances, Proofpoint discovered that the threat actors are using legitimate but infected WordPress websites to host credential capture websites.
The Hackers Also Tried To Steal MFA Credentials
The researchers also noted that the hackers tried to steal multifactor authentication (MFA) credentials to enable them to circumvent over layers of security.
This means after the threat actors have stolen the victim’s username and password, they proceed to bypass the second authentication protocols that could have prevented them from having unauthorized access.
Many of the emails contain messages delivered through spoofed senders, but Proofpoint discovered that threat actors leverage legitimate and compromised university accounts to send COVID-19 themed threats to their targets.
The hackers, as observed by Proofpoint, gain initial access to credentials in some universities via compromised mailboxes. After compromising these accounts, they send the same threats to other universities.
The hacking activities have not been linked to any threat group and the main goal of the threat actors is not known.
More Attackers Are Taking Advantage Of The New Omicron Variant
A senior manager at Lookout, Hank Schless, stated that some malicious phishing activities were discovered when the pandemic became a worldwide issue in 2020.
Then, the threat actors tried to deceive people and promised them information about the shutdown, increased government palliatives, as well as self-testing apps.
He added that Proofpoint discovered an 87% increase in enterprise mobile phishing from the fourth quarter of 2019 to the first quarter of 2020.
However, a few months into 2020, the threat actors changed their tune, delivering attacks that promised information about reopening and vaccines.
Phishing exposure increased 127% between Q4 of 2020 and Q1 of 2021, and has remained at the same level through Q3 2021, Schless stated.
But the threat actors have changed their tune again, following the increasing concerns of the new Omicron variant. They are now using it to convince potential victims to share their login details with fake promises of vital information about the variant. However, the threat actors are only interested in planting malware to the victim’s systems for a ransomware attack, Schless warns.