Omicron Covid Variant Phishing Email Scam Hits US and UK Schools and Universities - CTemplar

Omicron Covid Variant Phishing Email Scam Hits US and UK Schools and Universities

Omicron Covid Variant Phishing Email Scam

Since the start of the Covid-19 pandemic, the rate of reported cybercrimes has spiked 4X, according to the FBI’s Internet Crime Complaint Center (IC3) and threat actors show no signs slowing down.

According to the latest ProofPoint report, scammers have now begun to target universities in North America using the newest Omicron variant of Covid-19 in their phishing campaigns.

How do Omicron Covid-19 Phishing Attacks Work?

Phishing Attacks Work

The report says that the new Omicron variant email scam targeted dozens of North American universities, including Vanderbilt University and the University of Central Missouri, to name a few.

Security researchers explained that these scam emails contain links or attachments to landing pages that mimic the official login portal of the university. From there threat actors can harvest credentials from student accounts.

The emails with URLs typically start with a subject line like:

“Attention Required – Information Regarding COVID-19 Omicron Variant”

Which is then followed by a URL to a web address of the fake university landing page.

On the other hand, phishing emails that distribute attachments start with the “Covid Test” subject line. These contain an HTM attachment leading to a webpage imitating the university’s Sign-On page where threat actors can steal login credentials.

Threat Actors are Using Legitimate University Communication to Leverage Further Email Scams

Email Scams

Another thing that security researchers from ProofPoint have observed is that many threat actors began leveraging already compromised accounts (those that they already harvested login credentials from) to send more COVID-19 email scams.

These compromised mailboxes are then used to leverage phishing scams toward other universities.

ProofPoint Identifies Multiple Delivery Methods Used by Scammers

The researchers have also identified multiple delivery methods used in these Omicron COVID-19 scams, as fraudsters leverage different TTPs (tactics, techniques, and procedures) to target universities in North America and their students.

When it comes to attachment-based phishing emails, threat actors are using a compromised WordPress web address to host a webpage they can use for stealing credentials.

For example:

  • hfbcbiblestudy[.]org/demo1/includes/jah/[university]/auth[.]php

The threat actors also use credential-stealing webpages that have a similar domain-naming pattern, such as:

  • sso[.]ucmo[.]edu[.]boring[.]cf/Covid19/authenticationedpoint.html
  • sso2[.]astate[.]edu[.]boring[.]cf/login/authenticationedpoint.html

MFA Credentials Also a Target for Threat Actors

Threat Actors

More threat actors have also started to target Multi-factor Authentication (MFA) providers, in particular Duo.

By stealing MFA tokens threat actors can bypass the 2nd layer of security which is there to prevent an attacker who already has login credentials from the victim (username and password) from accessing their account.

UK NCSC and DfE Warn About Fake Free Omicron PCR Tests

The United Kingdom’s National Cyber Security Centre (NCSC) and the Department for Education (DfE) have also warned schools and students through Twitter about the free Omicron PCR test email scam.

Ciaran Martin, CEO at the National Cyber Security Centre said:

“Technology is helping us cope with the coronavirus crisis and will play a role helping us out of it – but that means cyber security is more important than ever.

With greater use of technology, there are different ways attackers can harm all of us. But everyone can help to stop them by following the guidance campaign we have launched today. But even with the best security in place, some attacks will still get through.

That’s why we have created a new national reporting service for suspicious emails – and if they link to malicious content, it will be taken down or blocked. By forward messages to us, you will be protecting the UK from email scams and cyber crime”

These emails link to a fake NHS website and are used by fraudsters to steal students’ personal information.

The NHS Twitter post also reminds that the NHS never asks for payment or bank details.

Keep Yourself Safe From Phishing Emails

Since the start of the Covid-19 pandemic, Gmail is receiving 240 million spam messages per day and is blocking 100 million of them daily, according to Web Arx Security.

The new variant now gives extra ammunition to scammers to target their victims with more phishing emails, this time targeting schools and universities, but also other institutions and individuals.

If you receive an Omicron PCR test email scam report it to the Federal Trade Commission (US) or the National Cyber Security Centre (UK). You can also report a phishing site to the Cybersecurity & Infrastructure Security Agency.

Finally, make sure to secure your email when working remotely. Read the article in the link to learn how.