The Iranian threat actor TA453, also known as Charming Kitten or Phosphorus, has been linked to a phishing campaign that is using spoofed identities of real academics at a UK university. The attacks are targeting experts of Middle Eastern affairs at different universities, think tanks, and media companies. The campaign has been named SpoofedScholars by researchers at Proofpoint. The focus of the attack is stealing credentials from these targeted individuals by sending them phishing emails that invite them to an online conference. The attackers use Gmail addresses that are designed to look like they belong to the University of London’s School of Oriental and African Studies (SOAS). The phishing emails trick users into clicking a registration link that takes victims to a spoofed SOAS webinar platform that is hosted on a legitimate but compromised website belonging to SOAS Radio. When registering, the website will ask the victim to select a service provider including ones like Gmail, Yahoo, Microsoft, iCloud, Facebook, and others. Once that is selected, another email is sent to the victim with a link that would take them to a spoofed login page of their selected provider which allows the attackers to steal the victims’ credentials.
Researchers at Proofpoint are confident that the attack is coming out of Iran. Their attribution to TA453 is based on previous attacks by the group and the similarities they share to the newest campaign. TA453 has historically used free email providers to spoof individuals familiar with their targets to increase the likelihood of a successful compromise. TA453 also has a track record of credential-stealing based on specific interests and individuals to collect intelligence through exfiltration of sensitive email and contacts or sit on the credentials to use as a primary entry point for later attacks. Companies should ensure they are carrying out the necessary training for employees on how to spot a phishing email to prevent attacks such as these. In this case, it was difficult for even trained and wary employees to spot the difference, since the webinar registration page was hosted on a compromised SOAS Radio website—the main red flag was the fact that the attackers sent email from a Gmail account instead of an official University of London email address. Furthermore, companies should ensure that all their employees are utilizing Multi-Factor Authentication (MFA) as an additional step of protection. Whenever MFA is being set up it should be done through a trusted third-party app and not through SMS messaging as attackers could use a SIM-swapping attack to intercept codes that are sent over SMS.