A massive URL spoofing campaign targeting 76 universities in 14 countries has been detected by security researchers at SecureWorks.
The threat group known as Cobalt Dickens is believed to be behind the attack. The group is believed to operate out of Iran and is well known for conducting these types of attacks.
The latest campaign has seen the hacking group create more than 300 spoofed websites on sixteen domains. Hosted on those websites are fake login pages for 76 universities, primary in the United States, but also in universities in Canada, Australia, China, Israel, Japan, Switzerland, Turkey, South Africa, Italy, Germany, the Netherlands, Malaysia, and the UK.
When individuals are fooled into visiting the fake login pages and enter their credentials, they are redirected to the legitimate university website where they are logged in to a valid session automatically. They will be unaware that their login credentials have been stolen. The stolen credentials are then used to gain access to the online library systems of universities and intellectual property is stolen.
Universities are attractive targets for cybercriminals. Attacks on financial institutions provide more immediate profit and healthcare organizations hold large quantities of valuable data that can easily be sold to identity thieves. However, attacks on those organizations are more complicated and time consuming as they usually have more advanced cybersecurity defenses.
It is much harder to secure university networks and vulnerabilities often exist which can be easily exploited. Universities are therefore seen as easy targets. Attacks can also be extremely profitable. Universities often have valuable intellectual property which has not yet been commercialized. The information can give firms a significant competitive advantage.
SecureWorks has released indicators for the threat and a list of domains that are known to be used by the attackers. Those domains and IP addresses should be blocked through a firewall, router, or web filter to prevent users from accessing the fake login pages.
The use of 2-factor authentication is also strongly recommended. While not infallible, 2-factor authentication is an important security control that can prevent unauthorized individuals from gaining access to online resources when login credentials are stolen. Without the second authentication factor, access will be denied.