The Cobalt Dickens hacking group run out of Iran is targeting universities in a global phishing campaign. The group, linked to the Iranian government, has hit over 60 universities in the U.S, the UK, Canada, Hong Kong, and more.
The goal of these attacks is to steal usernames, passwords, and intellectual property to then sell for a revenue. The technique used in these attacks avoids installing malware on the victim’s machines. Instead, according to a blogpost by Secureworks, to launch the attack the malicious actors send out phishing emails to students, faculty, and staff. The targeted emails all claim to be library services, containing a sense of urgency to prompt users to reactive their accounts. The body of the email contains a link to the spoofed login pages, which when clicked lead the user to enter in credentials. Once entered, the page is redirected to a next.php file, in which the credentials are stored as a pass.txt file. Finally, the user is sent to the legitimate site.
The technique used in these attacks avoids installing malware on the victim’s machines. Further, the group uses publicly available tools found on sites like GitHub and HTTrack Website Copier to launch the attacks.
Cobalt Dickens has 20 registered domains used for the campaign. These domains have valid security certificates, and many are issued by Let’s Encrypt, an organization which issues out free certificates. In the past, domains issued by Comodo certificate authority were also seen.
Last year, nine members of the hacking group were arrested in association with cyber-theft on the behalf of the Iranian military, Since the indictment, the group has continued to spread reek havoc and “the threat actors have not changed their operations despite law enforcement activity, multiple public disclosures, and takedown activity.
In an attempt, to ward off these attacks, universities should begin implementing two-factor authentication. Further, educating faculty and students of possible attacks can alleviate some of the risk
Contact LIFARS today for security advisory solutions