Warning for Colleges on COVID-Based Phishing Attacks | Inside Higher Ed
Phishing emails targeting U.S. universities are leveraging the pandemic by enticing users to enter their log-in credentials for fabricated COVID testing registration requests, according to researchers with the security company Proofpoint.
Hackers began sending thousands of messages mimicking legitimate log-in portals to dozens of North American colleges in October, company representatives said in a blog post published this week. The post noted that Proofpoint’s researchers have “observed COVID-19 themes impacting education institutions throughout the pandemic, but consistent, targeted credential theft campaigns using such lures targeting universities began in October 2021.”
Brett Callow, a threat analyst with the cybersecurity company Emsisoft, said cybercriminals habitually leverage news events to trick their victims.
“If there’s a significant event, be it a pandemic or a Super Bowl, it will be used as bait for phishing,” Callow said.
Selena Larson, a senior threat intelligence analyst at Proofpoint and co-author of the blog post, wrote that the wave of phishing attacks citing the Delta, and now the Omicron, variants were unusually specific in their targeting of universities. She said company researchers predicted the attacks will increase in the next two months as colleges respond both to holiday travel and the emergence of the Omicron variant with more campus testing.
The phishing emails included attachments or URLs for “pages intended to harvest credentials for university accounts,” the Proofpoint blog post said. “The landing pages typically imitate the university’s official login portal, although some campaigns feature generic Office 365 login portals.”
Researchers reported that emails with URLs using the subject “Attention Required—Information Regarding COVID-19 Omicron Variant—November 29” lured victims in and then led them to a spoofed landing page. Some victims were redirected to a legitimate university communication after hackers captured credentials, the blog post said.