Researchers from Proofpoint had identified a Iranian hacking group(TA453) targeting think tanks, senior professors and journalists from Middle eastern countries with a credential harvesting page via compromised website.
Proofpoint has named this operation “Operation SpoofedScholars” which is suspected to carry out cyber espionage and intelligence operation on behalf of IRGC(Islamic Revolutionary Guard Corps).
“These connection attempts were detailed and extensive, often including lengthy conversations prior to presenting the next stage in the attack chain. Once the conversation was established, TA453 delivered a “registration link” to a legitimate but compromised website belonging to the University of London’s SOAS radio“.
“The compromised site was configured to capture a variety of credentials. Of note, TA453 also targeted the personal email accounts of at least one of their targets. In subsequent phishing emails, TA453 shifted their tactics and began delivering the registration link earlier in their engagement with the target without requiring extensive conversation. This operation, dubbed SpoofedScholars, represents one of the more sophisticated TA453 campaigns identified by Proofpoint. ” reads the blog.
Experts observed that the Threat actor(TA453) has sent an email to the targets disguised as an invitation to the online conference, as an extra step they also tried to reach out individuals via phone to discuss about the invitation and has sent an detailed conference invite to the fake conference as like above.
“When a particular provider is clicked, a pop-up box (Figure 3) displays the actual credential phishing box. Of the options, Google, Microsoft, and Email buttons prefilled the target’s email address. Based on the variety of email providers along with TA453’s insistence that the target log on when TA453 was online, Proofpoint assesses that TA453 was planning on immediately validating the captured credentials manually. ” reads the blog.
As a measure for mitigation, Proofpoint has provided set of indicators which needs to be investigated and should be considered as suspect of the intrusion attempt.
- URIs starting with hxxps://soasradio[.]org/connect/?memberemailid=
- emails from hanse.kendel4[@]gmail.com, hannse.kendel4[@]gmail.com,
- and t.sinmazdemir32[@]gmail.com.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1