Cobalt Dickens: The Iranian threat actor Cobalt Dickens, who has a track record of targeting universities around the globe, has begun focusing on American universities. According to new research from Proofpoint, the group is still using the same methods, including spoofing emails from university libraries and using fake login pages to harvest the credentials of their victims. Members of the group were previously indicted by the United States Department of Justice in March of 2018 due to damages they caused by their attacks between 2013 and 2017. The indictment charges did not affect the group and did not skew their attacks or timeline in any way that was noticeable. What makes this group so successful is the use of stolen university branding to make their emails and login pages look authentic. The group does research into the university before they target them, using their wording and logos for their attack. Typically, the emails that are sent to people from this group state that they have an overdue library book that they need to turn in. Along with the email will be a link to the fake login page to check the status of the pending overdue book. Once redirected to the fake login page, the attacker can steal all of the credentials that are submitted and then use them to log in to students’ accounts. By logging into accounts, the threat actors will have access to all of the students’ private information and access to their financial aid information.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased