HomesecurityPhishing attacks target US Universities

Phishing attacks target US Universities

US universities have been found in the crosshairs Phishing attacks, which imitate the login portals of universities in order to steal credentials.

To attract the attention of victims, cybercriminals use them Delta and Omicron mutations of Covid-19 and various issues related to how they are supposed to influence educational programs.

See also: Hackers exploit the Omicron mutation for phishing attacks

Phishing Universities

These phishing campaigns, which target US universities, are believed to be conducted by many threatening factors, from October 2021. Η Proofpoint has analyzed some of these phishing attacks and shares details about the tactics, techniques and procedures (TTP) used.

Phishing attacks target universities

In recent phishing campaigns targeting US universities, the attack begins with one email supposedly contains information about the new Omicron variant, test results COVID-19, course changes etc.

These emails urge the recipient to do so click on an HTM attachment, which leads him to a fake login page which is the same as their university login page.

The samples published by Proofpoint they look great convincingly in terms of their appearance and URLs they use a similar naming pattern that the .edu top-level domain includes. For example, a phishing attack targeting Arkansas State University students used a sso2 [.] State [.] Edu ​​[.] Boring [.] Cf URL.

See also: Twitter: Verified accounts become phishing targets after the blue badge is removed

Other examples of malicious domains used in these phishing attacks are:

sso [.] ucmo [.] edu [.] boring [.] cf / Covid19 / authenticationedpoint.html

hfbcbiblestudy [.] org / demo1 / includes / jah / [university] / auth [.] php *

afr-tours [.] co [.] za / includes / css / js / edu / web / etc / login [.] php *

traveloaid [.] com / css / js / [university] / auth [.] php *

In some cases (with an asterisk), these destinations are legitimate WordPress sites that have been compromised for stealing credentials, so there will be no notification from the protection tools when the victim ends up on them.

Based on the URLs shared by Proofpoint, some of the universities targeted in these phishing attacks are: University of Central Missouri, Vanderbilt, Arkansas State University, Purdue, Auburn, West Virginia University and the University of Wisconsin-Oshkosh.

Phishing credentials

To bypass MFA protection on targeted university link pages, attackers have created pages that mimic a DUO MFA page, which is used for theft of disposable passwords sent to students and teachers.

After the introduction of credentials on the fake login page, the victim is asked to enter the password they received via SMS on their phone, so that attackers can use it to take control of the account.

This step requires immediate action, as OTPs (one-time codes) have short expiration times.


The credentials can be used by cyber criminals to gain access to the respective email account, but also for other malicious activities such as sending malicious messages to other users and further phishing to steal more valuable information and accounts.

See also: Phishing campaign uses fake Office 365 alerts to steal credentials

Additionally, attackers can access sensitive information stored in the account's OneDrive and SharePoint folders.

These phishing attacks could potentially lead to attacks ransomware, causing major problems in US universities.

HTM files open in a browser, so technically you can never be 100% secure. If you see something like this, you better delete the email.

Source: Bleeping Computer

Digital fortress
Pursue Your Dreams & Live!