A malicious actor is attempting to steal credentials from people at U.S. universities using phishing emails that invoke a newly identified strain of the virus that causes COVID-19, according to research published Tuesday by the security company Proofpoint.
The emails reference the omicron variant of the SARS-CoV-2 virus, which the World Health Organization identified as a “variant of concern” on Nov. 26 and has already been detected in several dozen countries, including the United States. The messages have reached users at “dozens” of universities around the country, though Proofpoint’s research only named two: Vanderbilt University and the University of Central Missouri.
The messages typically contain attachments or URLs that link to imitations of legitimate login pages, with the goal of harvesting the credentials of people who enter their usernames and passwords under the assumption they’re accessing a familiar website. Sometimes, the phony pages redirect users to legitimate university sites after the credentials are harvested, Proofpoint found.
One email, sent to a Central Missouri user, featured a subject line of “Attention Required – Information Regarding COVID-19 Omicron Variant – November 29,” with a link that leads to a page resembling the school’s single sign-on portal. A similar phony link was found in emails sent to Vanderbilt users.
Proofpoint has not determined where the credential-stealing campaign originated, or if it’s meant as an on-ramp to a bigger attack, such as data breaches, identity theft or the delivery of a ransomware payload.
“Follow on activity could include sending additional credential theft campaigns from compromised mailboxes, stealing sensitive information, or distributing malware payloads, such as ransomware,” Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection, said in an emailed statement.
While information on the phishing campaign is limited, it lands as yet another example of hackers using concerns about the pandemic to take advantage of victims. In August, as the delta variant of the coronavirus became the dominant strain, malicious actors tweaked their tactics ahead of the fall surge in infections and deaths. Even as far back as January 2020, threat actors associated with the credential-stealing malware Emotet — a frequent precursor to the ransomware strain Ryuk — were leveraging fears of the initial outbreak in Wuhan, China.
“Threat actors continue to use COVID-19 theme lures in campaigns targeting multiple industries and geographic areas,” Proofpoint’s new research reads. “It is likely this activity will increase in the next two months as colleges and universities provide and require testing for students, faculty, and other workers traveling to and from campus during and after the holiday season, and as the Omicron variant emerges more widely.”