Iranian hackers conducted a phishing campaign in which they used spoofed identities of real academics from a UK university with the goal of stealing passwords of experts in the Middle Eastern affairs from universities, think tanks, and the media.
Security researchers at Proofpoint have uncovered a campaign that targeted individuals who were interested in speaking in a webinar on Middle Eastern issues. Attackers managed to compromise a university-affiliated website so that they can deliver personalized pages to targets for harvesting credentials.
Proofpoint researchers say the phishing campaign they dubbed Operation SpoofedScholars was developed by an Iranian-affiliated APT group known as TA453 (Charming Kitten or Phosphorus) that focuses on gathering intelligence for the Islamic Revolutionary Guard Corps (IRGC).
The attackers used spoofed email addresses and emails which were designed to look like those of real academics from the University of London’s School of Oriental.
The attackers invited targets to participate in an online conference on “The US Security Challenges in the Middle East.” Their emails contained a fake registration link that, once clicked, opened a page that looked like a real SOAS registration page for a conference.
The compromised website was hosted on a legitimate but compromised website of the SOAS Radio. It asked the victim to login to the system with their email provider. If the user clicked on the link, they’d be taken to a fake version of the email provider’s site, which would steal the victim’s username and password.
Based on similarities to previous TA453 campaigns, the researchers believe that the campaign is operated by Iranian hackers.
“Attribution specifically for Operation SpoofedScholars is based on similarities to previous TA453 campaigns and consistency with TA453’s historical targeting. TA453 often uses free email providers to spoof individuals familiar to their targets to increase the likelihood of successful compromise,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, said.
“Additionally, TA453 concentrates their credential phishing to specific individuals of interest to collect intelligence through exfiltration of sensitive email and contacts or initial access for future phishing campaigns”.
It’s not known if the attackers have been successful in their attempts to steal information, but after being informed that the website was compromised, SOAS took action to remove it.
“To be clear, academic staff at SOAS of course have no involvement in this process, nor has any action or statement by SOAS staff led to them being spoofed in this way. There was no suggestion of breach of cybersecurity by any SOAS staff,” they said.
DeGrippo advised that “It is vital that educational institutions make security awareness training and people-centric cybersecurity solutions a priority to aid staff with the ability to identify phishing pages.”