SecureWorks has discovered Cobalt Dickens, an Iranian threat group, has launched a URL spoofing campaign targeting universities in more than a dozen countries.
On their website, SecureWorks stated that security researchers working in their Counter Threat Unit discovered the phishing campaign. Threat actors spoofed a university login page to steal the login credentials of university staff. Further research revealed that sixteen associated domains contained over 300 spoofed websites and fake login pages for 76 universities. The universities targeted by the campaign are based mainly in the United States, but universities in Canada, Australia, China, Israel, Japan, Switzerland, Turkey, South Africa, Italy, Germany, the Netherlands, Malaysia, and the UK were also affected.
SecureWorks stated that once individuals enter their credentials into the fake website, they are redirected to the legitimate website and a valid session starts automatically. The hackers use the credentials harvested through fake websites to gain access to online library systems. Cobalt Dickens’ aim appears to be to steal intellectual property from these libraries.
Financial institutions and healthcare organisations often hit the headlines for falling victim to cyber attacks. Hackers can steal credit card information from financial institutions to turn a profit or steal healthcare data to sell not the black market or use for identity fraud. However, as these organisations increase their defences, successful attacks on these organisations become more challenging to achieve.
Universities are an interesting alternative for hackers. It is much harder to secure university networks. Therefore, hackers can easily exploit any vulnerabilities. University databases often contain intellectual property that has significant commercial value. Hackers could steal this information and sell it to a firm that wishes to gain an advantage over its competitors. Hacking universities can be just as profitable as other organisations are the hacker has the right customers for the information.
SecureWorks has released indicators for the threat and a list of domains that are known to be used by the attackers. It recommends that these domains and IP addresses are blocked through a firewall, router, or web filter is used to prevent users from accessing the fake login pages.
Many cybersecurity experts recommend the use of 2-factor authentication to prevent credentials from being stolen in login spoof campaigns. The authentication code is sent only when a login attempt is made on the legitimate website. If the login attempt fails, the employee knows that the website is fake, and can alert the relevant IT security team to the phishing campaign.