A group of Iranian hackers with a habit of attacking academic institutions have come back to life to launch a new round of phishing campaigns, security firm Malwarebytes said today.
The new attacks were timed to coincide with the start of the new academic years, in which students and academic staff were expected to be active on college portals.
The attacks consisted of emails sent to victims. Called “phishing emails,” they contained links to a website masquerading as the college portal or an associated app, such as the college library.
The websites were hosted on sites with similar domains, but in reality collected the victim’s login credentials.
Attacks linked to the Silent Librarian group
Malwarebytes claims the attacks were all orchestrated by the same group, known in cybersecurity circles by their code name of Silent Librarian.
Members of this group were indicted in the United States in March 2018 for a long series of attacks on universities around the world, dating back to 2013.
According to the US indictments, the hackers gained access to university portals from which they stole intellectual property or limited-circulation academic work, which they then resold on their own web portals (Megapaper.ir and Gigapaper.ir).
However, despite the US indictment, the pirates remained at large in Iran and staged subsequent attacks.
These attacks usually took place every fall, just before the new school year. Their 2018 campaign was documented in a Secureworks report, while Proofpoint spotted last year’s campaign.
The group now hosts attack servers in Iran
But compared to past attacks, the 2020 campaign is different.
Malwarebytes said that this time around, Silent Librarian hosted some of its phishing sites on Iranian servers.
“It may seem strange that an attacker is using infrastructure in his own country, perhaps pointing the finger at it. However, here it simply becomes another bulletproof accommodation option based on the lack of cooperation between US or European law enforcement and local police in Iran, “the US security company said.
Below is a list of universities targeted by the group, along with the phishing sites they have used, in case students and academic staff wish to check past emails.
| Phishing site | Legitimate site | Target |
| library.adelaide.crev.me | library.adelaide.edu.au | The University of Adelaide Library |
| signon.adelaide.edu.au.itlib.me | library.adelaide.edu.au | The University of Adelaide Library |
| tableau.gcal.crev.me | tableau.gcal.ac.uk | Glasgow Caledonian University |
| blackboard.stonybrook.ernn.me | blackboard.stonybrook.edu | Stony Brook University |
| blackboard.stonybrook.nrni.me | blackboard.stonybrook.edu | Stony Brook University |
| namidp.services.uu.nl.itlib.me | namidp.services.uu.nl | Utrecht University |
| uu.blackboard.rres.me | uu.blackboard.com | Utrecht University |
| libraryesso.vu.cvrr.me | libraryesso.vu.edu.au | Victoria University |
| ole.bris.crir.me | ole.bris.ac.uk | Bristol University |
| idpz.utorauth.utoronto.ca.itlf.cf | idpz.utorauth.utoronto.ca | University of Toronto |
| raven.cam.ac.uk.iftl.tk | raven.cam.ac.uk | Cambridge University |
| login.ki.se.iftl.tk | login.ki.se | Karolinska Medical Institute |
| shib.york.ac.uk.iftl.tk | shib.york.ac.uk | York University |
| sso.id.kent.ac.uk.iftl.tk | sso.id.kent.ac.uk | University of Kent |
| idp3.it.gu.se.itlf.cf | idp3.it.gu.se | University of Gothenburg |
| login.proxy1.lib.uwo.ca.sftt.cf | login.proxy1.lib.uwo.ca | Western Canada University |
| login.libproxy.kcl.ac.uk.itlt.tk | kcl.ac.uk | King’s College London |
| idcheck2.qmul.ac.uk.sftt.cf | qmul.ac.uk | Queen Mary University of London |
| lms.latrobe.aroe.me | lms.latrobe.edu.au | Melbourne, Victoria, Australia |
| ntulearn.ntu.ninu.me | ntulearn.ntu.edu.sg | Nanyang Technological University |
| adfs.lincoln.ac.uk.itlib.me | adfs.lincoln.ac.uk | Lincoln University |
| case.thm.de.itlib.me | case.thm.de | TH Mittelhessen University of Applied Sciences |
| libproxy.library.unt.edu.itlib.me | library.unt.edu | University of North Texas |
| shibboleth.mcgill.ca.iftl.tk | shibboleth.mcgill.ca | mcgill university |
| vle.cam.ac.uk.canm.me | vle.cam.ac.uk | Cambridge University |
