What’s the matter?
Researchers from Proofpoint have tracked the activities and operations of the Iranian cyber-espionage group ‘Silent Librarian’ and have provided details about the threat group.
About the group
The threat group, also known as TA407, Cobalt Dickens, and Mabna Institute, primarily targets universities and educational institutions in North America, and Europe.
Researchers tracked the group’s phishing campaigns between June and October 2019 and noted that TA407 uses phishing landing pages created for library and student/faculty access portals.
“Proofpoint researchers frequently observe Silent Librarian’s phishing attempts originating from a university unrelated to their current target using a separate, unrelated university’s URL shortening service. This short URL links to a phishing landing page either directly or via one or more third-party sites that eventually lands the user on a clone of a login portal hosted on an actor-controlled server,” researchers noted.
Other social engineering techniques used by the group
The other social engineering mechanisms leveraged by the threat group includes,
Contents of the phishing emails
The phishing emails sent by Silent Librarian include subject lines similar to ‘Library Services’, ‘Library Account Expiration’, ‘Renewal of loaned items’, ‘Renew your loaned items’, and ‘Overdue notice on loaned items’.
“Dear Library Member,
Your access to your library account is expiring soon due to inactivity. To continue to have access to the library services, you must reactivate your account. For this purpose, click the web address below or copy and paste it into your web browser. A successful login will activate your account and you will be redirected to your library profile.
If you’re not able to login, please contact <email address> for immediate assistance,” the phishing email read, Proofpoint reported.