Report: “Library-Themed University Phishing Attack Expands to Massive Scale”

From ThreatPost:

Indicating a campaign of massive scale, at least 20 new phishing domains targeting more than 60 universities in Australia, Canada, Hong Kong, Switzerland, the United Kingdom and the United States have cropped up, bent on lifting credentials from students heading back to school.

The domains are associated with a group of Iranian cyberattackers collectively known as Cobalt Dickens or Silent Librarian. As Threatpost recently reported in a post on the group’s attack tactics, the attackers are looking to use fake, library-themed landing pages to steal students’ credentials, then use those to steal and resell intellectual property, move laterally within organizations, conduct internal phishing and more.

[Clip]

“Metadata in a spoofed login page created on August 1 suggests that Cobalt Dickens sometimes uses older copied versions of target websites,” said CTU researchers, in a posting on Wednesday. “A comment left in the source code indicates it was originally copied on May 1, 2017. However, the university was targeted by numerous Cobalt Dickens operations, including the August 2018 and August 2019 campaigns.”

Read the Complete Article

More From SecureWorks/CTU Posted Cited Above:

For this campaign, the threat actors registered at least 20 new domains targeting over 60 universities in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland. These domains were registered using the Freenom domain provider, which administers the following free top-level domains (TLDs) unless the domain is considered “special“:

• .ml
• .ga
• .cf
• .gq
• .tk

Many of these domains use valid SSL certificates, likely to make the spoofed pages appear authentic. The overwhelming majority of the certificates observed in 2019 were issued by Let’s Encrypt, a nonprofit organization that programmatically issues free certificates. However, past campaigns used certificates issued by the Comodo certificate authority.

Read the Complete Article

More From Dark Reading: “Indictments Do Little to Stop Iranian Group from New Attacks on Universities”

Filed under: Associations and Organizations, Libraries, News