Phishing emails typically provide some obvious tells to their malicious nature. However, when a phishing email contains information such as organizationspecific email bodies and email signatures, organization branding, and relevant news, it can be harder to distinguish the difference between legitimate and malicious. These factors are what make the phishing campaign of TA407 or the “Silent Librarian” threat actor group different. This group, as described by researchers at Proofpoint and Secureworks, are a group of Iranian hackers targeting the intellectual property of universities in the United States and Europe.
This is done through a phishing campaign targeted at university students which redirect users to a malicious landing page tailored to look like the universities’ login page. The hackers are then able to access library content with the stolen account credentials.
What makes this campaign unique is the length at which the threat actors went to appear convincing. Each targeted university has a personalized landing page. In addition to that, the email contains proper grammar, providing links to library resources and a helpdesk email address if the student should need any help with account login. The landing page contains spoofed display names, stolen branding matching the actual login page and even in one case, an accurate weather forecast informing students that the campus is closed due to a snowstorm.
In 2018, the US Department of Justice charged nine members of the group for their actions, alleging that between 2013 and 2017, TA407’s activities accounted for $3.4 billion worth of stolen intellectual property, 31.5 terabytes of academic data, almost 8000 compromised university accounts and 3700 compromised accounts belonging to professors at US-based universities. They also allege that 144 US-based and 176 foreign universities were victims of the scheme. The Department of Justice states that this group operates on behalf of the Iranian government and that the stolen data is being used by the Iranian government and Iranian universities. Although this specific phishing campaign is targeted toward students, there are many steps that you can take to avoid falling victim to phishing emails. Noticing such things as a strange sender email address, the lack of identifying information (e.g. valid account number, name, address), links to strange domains, and improper grammar may all be a tell that the email is malicious. If you are still unable to determine if it is a phishing email, it may be best to visit the site in question directly and not through any links provided in the email.
Sources
• https://www.proofpoint.com/us/threat-insight/post/threat-actor-profileta407-silent-librarian