SpoofedScholars is a new credential phishing attack that uses a University of London website to steal information from researchers who specialize in the Middle East, according to new analysis from Proofpoint. Proofpoint reports that senior think tank analysts, journalists focused on Middle Eastern affairs and professors are the targets in this latest attack.
The group compromised a legitimate site from the university’s radio station and created personalized credential harvesting pages disguised as registration links from the radio station’s website. The bad actor pretends to be a professor who works at the university’s School of Oriental and African Studies and invites the targeted individual to speak at an online conference. The goal is to gather personal information and to meet via phone call or video conference.
The threat actor “often uses free email providers to spoof individuals familiar to their targets to increase the likelihood of successful compromise,” according to Proofpoint. Also, as described in the Proofpoint blog post, the group focuses credential phishing to “specific individuals of interest to collect intelligence through exfiltration of sensitive email and contacts or initial access for future phishing campaigns.”
The security researchers believe that the bad actors are supported by the Iranian government. Proofpoint researchers believe that the Iranian government is looking for information about foreign policy, insights into Iranian dissident movements and understanding of U.S. nuclear negotiations.
According to the analysis, most of the targets have been previously targeted by the group. Proofpoint data suggests that the list of targets is fewer than 10 organizations. Proofpoint has contacted the appropriate authorities to alert the university about the breach.
University of London’s School of Oriental and African Studies has about 5,200 undergraduate and postgraduate students on campus and more than 300 instructors specialized in the study of
Africa, Asia and the Middle East. SOAS Radio is run by volunteers, alumni, current students and staff at the school and broadcasts original programming on world music, culture and current affairs.
Analysts concluded that the use of legitimate, but compromised, infrastructure represents a more sophisticated approach that the group will almost certainly use in future campaigns.
Proofpoint recommends that academics, journalists and think tank analysts verify the identity
of the individuals offering them unique opportunities before sharing any personal information.
The same actor, identified by Proofpoint as TA453, launched a similar credential phishing campaign in late 2020 that targeted medical professionals who specialize in genetic, neurology and oncology research in the United States and Israel.