- Silent Librarian employs Freenom domains to host phishing landing pages.
- The threat group also uses URL shorteners, linking, and abuse of legitimate services in its campaigns.
What’s the matter?
Researchers from Proofpoint have tracked the activities and operations of the Iranian cyber-espionage group ‘Silent Librarian’ and have provided details about the threat group.
About the group
The threat group, also known as TA407, Cobalt Dickens, and Mabna Institute, primarily targets universities and educational institutions in North America, and Europe.
Researchers tracked the group’s phishing campaigns between June and October 2019 and noted that TA407 uses phishing landing pages created for library and student/faculty access portals.
- Silent Librarian group distributes phishing URLs that redirect victims to fake university library login pages.
- The threat group employs Freenom domains to host phishing landing pages.
- The group abuses compromised accounts at universities to phish users at other universities.
- TA407 takes advantage of publicized downtime and weather alerts in order to add credibility to its phishing emails.
- The group also uses URL shorteners, linking, and abuse of legitimate services in its campaigns.
“Proofpoint researchers frequently observe Silent Librarian’s phishing attempts originating from a university unrelated to their current target using a separate, unrelated university’s URL shortening service. This short URL links to a phishing landing page either directly or via one or more third-party sites that eventually lands the user on a clone of a login portal hosted on an actor-controlled server,” researchers noted.
Other social engineering techniques used by the group
The other social engineering mechanisms leveraged by the threat group includes,
- Stolen university branding
- Fake email signatures, credentials, and addresses
- University-specific email bodies or portal clones
- Themed subject lines
Contents of the phishing emails
The phishing emails sent by Silent Librarian include subject lines similar to ‘Library Services’, ‘Library Account Expiration’, ‘Renewal of loaned items’, ‘Renew your loaned items’, and ‘Overdue notice on loaned items’.
“Dear Library Member,
Your access to your library account is expiring soon due to inactivity. To continue to have access to the library services, you must reactivate your account. For this purpose, click the web address below or copy and paste it into your web browser. A successful login will activate your account and you will be redirected to your library profile.
If you’re not able to login, please contact <email address> for immediate assistance,” the phishing email read, Proofpoint reported.