Cobalt Dickens: Cobalt Dickens, a name assigned to an Iranian threat group identified in 2018, has revamped and picked up right where they had left off. Primarily known for phishing universities in the United States, Australia, and the UK, nine of their members were indicted by the United States for compromising hundreds of universities to steal intellectual property and financial gain. A new large global phishing campaign was discovered in August and has been credited to the group. The new operation mirrors the original operation in 2018 by using compromised university recourses to send phishing emails that were related to the library. The emails contained spoofed login pages that paralleled the login sites of actual resources the university library used. The emails contained the spoofed URL for targets to click on and give away their university credentials. After the user gives away their credentials, they get redirected to the next[.]php file, where credentials get stored locally in a file called pass[.]txt, the user is redirected to the legitimate resource page to log in to. The group registers top-level domains (TLDs) such as .ml, .ga, .cf, .gq and .tk to fake the library resource pages. These registered domains make it harder for the victim to recognize it is not the legitimate website since the domain name will be the same as the legitimate website with a different TLD. All of the spoofed pages contained a valid SSL certificate to add to the page’s authenticity. In the past, the group has used open-source resources to copy the source code of the target website to use in the spoofed domain, making it look legitimate.
Analyst Notes
It has been a little less than a year since the group has been seen to be active, and the break-in attacks are likely because of the indictment of their nine members. Likely, those nine members were not the only ones in the group and because of this, it took time for the remaining members to rebuild the team and start attacking again. There is always the possibility that the this is not the original group, but merely a copycat, but, based on previous attacks and the current attack that was found and its similarities with the first one, this is highly unlikely.
