The Iranian threat actor TA453, also known as Charming Kitten or Phosphorus, has been linked to a phishing campaign that is using spoofed identities of real academics at a UK university. The attacks are targeting experts of Middle Eastern affairs at different universities, think tanks, and media companies. The campaign has been named SpoofedScholars by researchers at Proofpoint. The focus of the attack is stealing credentials from these targeted individuals by sending them phishing emails that invite them to an online conference. The attackers use Gmail addresses that are designed to look like they belong to the University of London’s School of Oriental and African Studies (SOAS). The phishing emails trick users into clicking a registration link that takes victims to a spoofed SOAS webinar platform that is hosted on a legitimate but compromised website belonging to SOAS Radio. When registering, the website will ask the victim to select a service provider including ones like Gmail, Yahoo, Microsoft, iCloud, Facebook, and others. Once that is selected, another email is sent to the victim with a link that would take them to a spoofed login page of their selected provider which allows the attackers to steal the victims’ credentials.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased