Sex sells, as the saying goes, which is why it’s always a popular area for cybercriminals to exploit. In a new campaign discovered by Proofpoint, scammers used adult dating photos as a way to infect people at colleges with malware. In a blog post published Thursday, the security provider describes how this attack worked.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

Sent to faculty and students at colleges and universities in the US, the initial email asked the user to choose between two photos of profiles ostensibly from an adult dating site (Figure A). Clicking on the button for either photo downloaded an executable file. If the recipient took the bait and tried to install the file, the Hupigon remote access trojan (RAT) was installed on the computer.

Figure A

Image: Proofpoint

Once installed, Hupigon opens a backdoor to a command and control server that can access the machine, allowing the attacker to control the webcam, audio, and other hardware, and steal login credentials and other sensitive data. Around since 2006 or possibly earlier, the Hupigon RAT has been associated with state-sponsored Advanced Persistent Threats (APTs) in various campaigns around the world. In 2010, Chinese APT groups such as APT3 used this RAT to carry out attacks.

Proofpoint found that more than 150,000 of the adult dating site emails were sent to over 60 different industries with 45% aimed at colleges and universities; other sectors targeted included manufacturing, healthcare, technology, and entertainment/media (Figure B). Begun on April 13, 2020, the campaign hit a peak of 80,000 messages between April 14 and April 15 before trailing off and eventually becoming inactive.

Figure B

Image: Proofpoint

How to protect students and faculty from cyberthreats

Compared with traditional businesses, colleges and universities can be more challenging environments for IT and security personnel to manage, according to Sherrod DeGrippo, Senior Director of Threat Research and Detection for Proofpoint. The ever-changing student population and the culture of openness and information sharing can conflict with the controls required to protect users from cyberattacks.

“It is critical that colleges and universities prioritize a people-centric approach to security that protects all parties (their employees, students, and partners) against phishing, email fraud, credential theft, and brute force attacks,” DeGrippo said. “We recommend layered defenses at the network edge, email gateway, in the cloud, and endpoint, along with strong user education to provide the best defense against these social engineering schemes.”

Students and faculty should also keep in mind certain security measures to protect themselves from cyberthreats.

“It is important that students and faculty are extremely vigilant when confirming the source of all emails that are sent to their personal and school email inboxes, especially ones that urgently request a link be clicked, a password change, or transfer of money,” DeGrippo said. “For online dating, we recommend that individuals directly visit an organization’s verified website or app, rather than clicking links included in an email. We also recommend that users monitor their credit reports to catch any threat actor attempting to use stolen personal information to commit identity fraud should they fall victim to this type of threat.”