Iran-linked threat actor COBALT DICKENS has launched a new phishing campaign targeting universities around the world, similar to an operation launched in August 2018, Secureworks reveals.
Believed to be associated with the Iranian government, the group targeted websites and login pages for 76 universities in 14 countries last year, and the newly discovered campaign was similarly large.
In July and August 2019, the phishing operation launched by COBALT DICKENS targeted over 60 universities in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland.
As part of the attack, the actor sent library-themed phishing emails containing links to spoofed login pages for resources associated with the targeted universities. Unlike previous campaigns, the messages in the new attacks used a spoofed URL instead of shortened links.
As soon as a recipient clicked on the link, they were taken to a web page similar to the spoofed library resource. After the victims enter their credentials, they are redirected to the next.php file and then to the legitimate website being spoofed, while the credentials are stored locally in the pass.txt file.
The hackers registered at least 20 new domains for the campaign, and used the Freenom domain provider for that.
The domains use valid SSL certificates, likely to make the spoofed pages appear authentic. Most certificates were issued by Let’s Encrypt, but previous campaigns leveraged certificates issued by Comodo.
To spoof login pages, COBALT DICKENS uses publicly available tools that allow them to copy entire pages of targeted university resources. The attackers sometimes would use older copied versions of target websites, Secureworks’ security researchers have discovered.