A US-based Information Security company, Secureworks, has identified attacks originating from Iran targeting over 300 Universities including those based in the United Kingdom, Australia and the US.
The attack on universities was harvesting credentials by posting a fake website that then redirected to a legitimate page. Victims that entered their normal login credentials into the fake portal had these unknowingly stolen before being redirected to the legitimate site.
This attack is known as website spoofing, a common form of social engineering, is well established as a hacking methodology and is often used to fool users into entering their standard credentials. The key part of these attacks it that the website must look as authentic as possible, and to then redirect to the legitimate site so the user does not have any knowledge.
In the case of the attack in this article, the campaign involved spoofing multiple domains that replicated the corresponding University’s library system. These spoofed web pages then required the visitor to enter their username and password, subsequently stealing their logon details and then redirecting them to the legitimate website to avoid suspicion.
Fake emails are still somewhat difficult to identify, especially considering the ever-increasing complexity of these attacks. According to Symantec’s Latest Intelligence article, phishing rates have climbed from 1 in 3,331 in February 2018 to 1 in 2,981 by March 2018. If the website you intend to visit is very reputable (e.g. PayPal), then ensure that the website name is listed in the ‘Secure’ section of the URL which displays their SSL certificate. We also strongly advise that you never enter your credentials in a website where you have navigated to it from an email link. Instead, try to navigate to the website yourself to validate its authenticity.