Threat Management, Threat Management, Threat Intelligence, Malware, Phishing

Justice was overdue: Indicted Iranian hackers phished targets using library account lures

The nine U.S.-indicted Iranians who stand accused of exfiltrating 31 terabytes of research and data from educational institutions, companies and government agencies, allegedly used phishing schemes to steal university students' and faculty members' library credentials.

In a Mar. 26 blog post, researchers at PhishLabs claim to have identified more than 750 phishing attacks launched by the alleged hackers since September 2013. But these phishing emails are different from the ones that were described as targeting professors in the federal indictment that was unsealed last Friday.

Instead, these phishing emails attempted to trick students with lures that claimed that their library accounts had expired, and instructed to to take immediate action by clicking a link and logging back in. Of course, the link actually led to a malicious domain that stole any entered credentials.

Fittingly, PhishLabs refers to the group of nine defendants, who all work for an Iranian company called the Mabna Institute, as Silent Librarian. "Looking at the list of university targets, it is clear that they are not randomly selected. All of the universities targeted in the Silent Librarian campaigns are generally prominent research, technical, or medical universities," states the blog post, authored by Crane Hassold, director of threat intelligence.

To feign authenticity, the emails reportedly used spoofed sender email addresses and a legitimate-looking signature containing the actual contact information for each recipient's library. According to PhishLabs, 97 percent of the lures contained the subject "Library Account," "Library Notifications," or "Library Services" -- sometimes with the name of the university appended to the subject.

The phishing sites themselves, which have been hosted by at least 127 different domains since 2013, also looked like the real deal, with URLs and content that are similar the target library's actual account login page. "The actors likely scrape the original HTML source code from the legitimate library login page, then edit the references to resources used to render the web page... to point back to the original page," the blog post explains.

The researchers also uncovered a website, "likely run by" defendant Mostafa Sadeghi, that was observed selling the stolen library credentials. The site was also found to sell individual research journal articles. This discovery gibes with the federal indictment's reference to two other websites, Megapaper and Gigapaper, that sold hacked data, as well as access to hijacked university accounts.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.