The nine US-indicted Iranians who stand accused of exfiltrating 31 terabytes of research and data from educational institutions, companies and government agencies, allegedly used phishing schemes to steal university students' and faculty members' library credentials.
In a 26 March blog post, researchers at PhishLabs claim to have identified more than 750 phishing attacks launched by the alleged hackers since September 2013. But these phishing emails are different from the ones that were described as targeting professors in the US federal indictment that was unsealed last Friday.
Instead, these phishing emails attempted to trick students with lures that claimed that their library accounts had expired, and instructed to to take immediate action by clicking a link and logging back in. Of course, the link actually led to a malicious domain that stole any entered credentials.
Fittingly, PhishLabs refers to the group of nine defendants, who all work for an Iranian company called the Mabna Institute, as Silent Librarian. "Looking at the list of university targets, it is clear that they are not randomly selected. All of the universities targeted in the Silent Librarian campaigns are generally prominent research, technical, or medical universities," states the blog post, authored by Crane Hassold, director of threat intelligence.
To feign authenticity, the emails reportedly used spoofed sender email addresses and a legitimate-looking signature containing the actual contact information for each recipient's library. According to PhishLabs, 97 percent of the lures contained the subject "Library Account," "Library Notifications," or "Library Services" -- sometimes with the name of the university appended to the subject.
The phishing sites themselves, which have been hosted by at least 127 different domains since 2013, also looked like the real deal, with URLs and content that are similar the target library's actual account login page. "The actors likely scrape the original HTML source code from the legitimate library login page, then edit the references to resources used to render the web page... to point back to the original page," the blog post explains.
The researchers also uncovered a website, "likely run by" defendant Mostafa Sadeghi, that was observed selling the stolen library credentials. The site was also found to sell individual research journal articles. This discovery ties in with the federal indictment's reference to two other websites, Megapaper and Gigapaper, that sold hacked data, as well as access to hijacked university accounts.