Omicron Phishing Campaigns

Home / Threat Intelligence bulletins / Omicron Phishing Campaigns

Overview

Various threat groups are using anxiety around new COVID-19 strains to lure victims into clicking on malicious links.

University students have received phishing emails to their institutional inboxes themed around the new Omicron variant; using subjects like “Covid Test”, they lead victims to a spoofed university login page. In some instances they fake the sender’s address while others come from legitimate contacts who have had their accounts compromised.

Other Omicron themed emails seen targeting the public use NHS branding to trick the victim into ordering a Covid test from a fraudulent website which collects personal information that could be used for identity fraud. The NHS will never ask for your bank details.

This type of activity is expected to increase in the months ahead.

Impact

The phishing emails contain links to credential harvesting websites, with landing pages mirroring legitimate university login screens or with NHS branding.

Indicators of Compromise

Sender domain
nhscontact.com

Credential theft URLs

  • hfbcbiblestudy[.]org/demo1/includes/jah/[university]/auth[.]php
  • afr-tours[.]co[.]za/includes/css/js/edu/web/etc/login[.]php
  • traveloaid[.]com/css/js/[university]/auth[.]php
  • traveloaid[.]com/css/js/[university]/auth[.]php
  • offthewallgraffiti[.]org/[university]/auth[.]php
  • traveloaid[.]com/css/js/[university]/auth[.]php
  • sso[.]ucmo[.]edu[.]boring[.]cf/Covid19/authenticationedpoint.html
  • sso2[.]astate[.]edu[.]boring[.]cf/login/authenticationedpoint.html
  • 242smarthome[.]com/[university]/auth.php
  • jass-butz[.]at/xx/main/main.php
  • Bluecollarsubs[.]com/main/ main.php

Mitre Methodologies

T1566 – Phishing

Further Information

Scam alert: Omicron variant PCR test phishing emails

University Targeted Credential Phishing Campaigns Use COVID-19, Omicron Themes