Cybercriminals have no boundaries. With various phishing and social engineering tactics in place, attackers target victims across the globe by operating from a single location. Security experts Proofpoint recently discovered an active social engineering campaign by Iran-based threat actors, who impersonated scholars from the University of London’s School of Oriental and African Studies (SOAS) to target senior think tank personnel, journalists, and professors.
Dubbed as SpoofedScholars, Proofpoint attributed the campaign to the advanced persistent threat (APT) group TA453. As per the reports, TA453 has close links with the Iranian Revolutionary Guard Corps (IRGC) in launching various credential phishing attacks to harvest sensitive information from high-profile individuals. TA453 has been secretly approaching professors as early as January 2021 to capture sensitive information.
Threat actors leveraged the university’s website to create “customized” credential harvesting pages. They impersonated as professors from SOAS, inviting targeted scholars to speak at fake conferences. After establishing trust, the attackers sent bogus registrations links to the victims to pilfer their private data.
Explaining the attack chain, Proofpoint said, “TA453 sent an initial email trying to entice the target with a prospective invitation to an online conference on ‘The US Security Challenges in the Middle East. TA453 strived to connect with the individual via phone to discuss the invitation; however, after the target hedged and emphatically stated that they wanted a written proposal with the details, TA453 acquiesced with conference specifics. After a little back and forth that verified the target’s interest, TA453 provided a detailed invitation to the fake conference. The conversation concluded with TA453 attempting to get the target to connect via videoconferencing.”
Proofpoint identified TA453 using passable communication skills to build trust among the targets. Besides, threat actors focused more on obtaining contact details of the victims, which could later be used to deploy mobile malware or launch phishing attacks. The attackers were highly selective in choosing their targets and will continue spoofing scholars to steal information concerning the Iranian government, foreign policies, Iranian dissident movements, and the U.S. nuclear negotiations.
Proofpoint urged all academia, professors, journalists, and researchers to be vigilant and practice basic security measures like multi-factor authentication to prevent credential harvesting attacks. The company has also asked users to be cautious about virtual conference invites from unknown or anonymous sources.