Library-Themed University Phishing Attack Expands to Massive Scale

Cobalt Dickens (a.k.a. Silent Librarian) is now actively targeting 380 universities, bent on stealing credentials and moving deeper into school networks.

Indicating a campaign of massive scale, at least 20 new phishing domains targeting more than 60 universities in Australia, Canada, Hong Kong, Switzerland, the United Kingdom and the United States have cropped up, bent on lifting credentials from students heading back to school.

The domains are associated with a group of Iranian cyberattackers collectively known as Cobalt Dickens or Silent Librarian. As Threatpost recently reported in a post on the group’s attack tactics, the attackers are looking to use fake, library-themed landing pages to steal students’ credentials, then use those to steal and resell intellectual property, move laterally within organizations, conduct internal phishing and more.

New details from Secureworks Counter Threat Unit (CTU) researchers this week show that in total, Cobalt Dickens is actively targeting at least 380 universities in more than 30 countries. Many universities have been targeted multiple times, the firm said.

As Proofpoint previously pointed out, the attacks start with messages that contain links (with legitimate-looking URLs) to spoofed login pages for resources associated with the targeted universities. Recipients who click the links are directed to a web page that looks identical or similar to the spoofed library resource. After the victims enter their credentials, their web browsers are redirected to the next.php file, where the credentials are stored locally in the pass.txt file. The victim’s browser is then sent to the legitimate site being spoofed.

CTU’s analysis shows that Cobalt Dickens is not reinventing the wheel nor investing much when it comes to the tools it uses to carry this out: The new phishing domains were registered using the Freenom domain provider, which administers free top-level domains (TLDs); and the attackers are also using other free online services, including free certificates and publicly available code.

For instance, many of the domains use valid SSL certificates issued by Let’s Encrypt; and the public tools include the SingleFile plugin available on GitHub and the free HTTrack Website Copier standalone application, to copy the login pages of targeted university resources.

[Learn more about trending phishing lures on Threatpost’s recent podcast, available for download here.] 

“Metadata in a spoofed login page created on August 1 suggests that Cobalt Dickens sometimes uses older copied versions of target websites,” said CTU researchers, in a posting on Wednesday. “A comment left in the source code indicates it was originally copied on May 1, 2017. However, the university was targeted by numerous Cobalt Dickens operations, including the August 2018 and August 2019 campaigns.”

It’s worth noting that Cobalt Dickens has come under scrutiny by federal law enforcement before: In March 2018, the U.S. Department of Justice indicted the Mabna Institute and nine Iranian associates for compromising hundreds of universities to steal intellectual property and benefit financially.

“The threat actors have not changed their operations despite law enforcement activity, multiple public disclosures and takedown activity,” said CTU researchers.

CTU added that to protect students, universities can implement multi-factor authentication (MFA).

“Implementing additional security controls like MFA could seem burdensome in environments that value user flexibility and innovation, single-password accounts are insecure,” the researchers noted.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.