Huge URL Deception Campaign Discovered Targeting 76 Universities

A huge URL deceiving campaign targeting at 76 universities in 14 countries has been found by safety students at SecureWorks.

The threat group called Cobalt Dickens is supposed to be behind the attack. The group is supposed to work out of Iran and is well known for carrying out these sorts of attacks.

The latest campaign has seen the hacking group generate over 300 deceived websites on sixteen domains. Hosted on those websites are bogus login pages for 76 universities, mainly in the United States, but also in universities in Canada, Australia, China, Israel, Japan, Switzerland, Turkey, South Africa, Italy, Germany, the Netherlands, Malaysia, and the UK.

When people are deceived into visiting the bogus login pages and enter their identifications, they are redirected to the genuine university website where they are logged in to a lawful session automatically. They will be unaware that their login identifications have been stolen. The stolen identifications are then used to gain access to the online library systems of universities and intellectual property is stolen.

Universities are appealing targets for cybercriminals. Attacks on financial organizations provide more immediate profit and healthcare companies keep large quantities of valuable data that can easily be sold to identity thieves. Nevertheless, attacks on those companies are more difficult and time-consuming as they normally have more improved cybersecurity protections.

It is much harder to secure university networks and weaknesses often exist which can be easily abused. Universities are therefore seen as easy targets. Attacks can also be very lucrative. Universities often have prized intellectual property which has not yet been commercialized. The information can give companies a substantial competitive advantage.

SecureWorks has issued indicators for the threat and a list of domains that are known to be used by the attackers. Those domains and IP addresses must be obstructed through a router, firewall, or web filter to avoid users from accessing the fake login pages.

The use of 2-factor verification is also strongly suggested. While not infallible, 2-factor verification is an important safety control that can avoid illegal people from gaining access to online resources when login identifications are stolen.  Without the second verification factor, access will be disallowed.