The Cybersecurity Team of Masaryk University warns of a phishing campaign that abuses the identities of universities and attempts to steal login credentials for the Roundcube webmail client.
We detected a phishing campaign sent from a compromised account at the University of Potsdam that also abuses the name of Masaryk University. Under the pretext of a required webmail account update, the attacker attempts to lure recipients into clicking the attached link.
The link then redirects users to a fraudulent page impersonating the login page of the Roundcube webmail client. The attacker’s goal is to obtain users’ login credentials.
The phishing campaign is ongoing, and we are seeing additional variants distributed from compromised accounts of foreign universities, for example from Potsdam, Toruń, and Tocantins, as well as from Czech educational institutions, including UPOL, MU, and Gymnázium Třeboň. The attackers are abusing the legitimate infrastructure of these institutions and real academic or school e-mail addresses. As a result, the messages may have appeared in your mailbox and may look more credible at first glance than typical phishing.
In addition to the previously mentioned Muni Webmail account verification request, we are currently also seeing the following variants of the campaign:
The email creates pressure by claiming the system is overloaded and threatens permanent loss of access to the account if the user does not take the requested action. This use of urgency and fear is one of the typical signs of phishing.
We therefore recommend that users::
Do not click the attached link.
Do not enter any login credentials.
If you have already entered your login credentials:
If you are interested in the context, the terminology, or would like to better understand the reasons behind this warning.
We immediately blocked the phishing sender and the related fraudulent domain. However, the attackers used compromised accounts of foreign universities and their legitimate e-mail infrastructure to distribute the messages. This likely contributed to the fact that the messages were not automatically classified as spam or phishing in all cases and were delivered to a larger number of user mailboxes.
Automatic detection may also have been made more difficult by the fact that some links in the messages did not lead directly to a phishing page, but first to a redirect service, which may not be immediately classified as malicious on its own.
Fraudulent requests to verify or update an account are among the most common techniques used to steal users’ login credentials. Please remain cautious of any email that pressures you to act quickly, threatens account restrictions, or prompts you to enter your password via a link in the message. It is always better to report suspicious messages — early reporting can help protect other university users as well.
You can always find everything important about cybersecurity at Masaryk University on https://security.muni.cz/en.
The Cybersecurity Team at Masaryk University warns of an attack targeting a web platform operated by the European Commission, which resulted in a data breach. Specifically, for users involved in European activities or projects, we recommend changing your password and remaining highly vigilant against potential follow-up phishing messages.
Masaryk University’s cybersecurity team warns against installing and using proxyware applications. At first glance, they may seem appealing, but in reality they pose a security risk, as they are actively abused for cyberattacks.