Security researchers have revealed how a threat group associated with the Iranian government used fake domains that contained over 300 spoofed websites and login pages of universities in over fourteen countries, including the UK, the U.S., and Australia.
Back in July, Action Fraud sounded an alert about an elaborate domain-spoofing operation carried out by cyber criminals who mimicked domains of well-known UK universities in order to defraud British and European supply companies out of vast sums of money.
“Fraudsters are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org, and xxxacu.co.uk. These domains are used to contact suppliers and order high-value goods such as IT equipment and pharmaceutical chemicals in the university’s name,” the watchdog said.
According to Action Fraud, fraudsters behind the operation caused losses of over £350,000 to unsuspecting suppliers. “This type of fraud can have a serious impact on businesses. This is why it’s so important to spot the signs and carry out all the necessary checks, such as verifying the order and checking any documents for poor spelling and grammar,” said Pauline Smith, director of Action Fraud.
The warning bell sounded by Action Fraud wasn’t the first time that universities were alerted to elaborate domain-spoofing campaigns orchestrated by cyber criminals. In July last year, Newcastle University warned prospective students to stay away from a fake website that looked identical to its own website and asked visitors to pay admission and course fees on the website itself aside from sharing their personal details.
Massive intellectual property theft scam
Earlier this week, security researchers at Secureworks stumbled upon a massive domain-spoofing campaign that targeted domains of 76 universities in over fourteen countries, including the UK, the U.S., and Australia. After examining the IP address of a fake webpage that spoofed the URL of a university, the researchers stumbled upon as many as 16 domains that contained over 300 spoofed websites and login pages for 76 universities.
Further investigation into such websites and login pages revealed that after an unsuspecting visitor entered his/her credentials on a page, the visitor was either logged into a valid session or prompted to enter the credentials again. Considering that many of such fraudulent pages targeted universities’ online library systems, the researchers opined that actors behind the scam were looking to get their hands on intellectual property after stealing login credentials of users.
“Universities are attractive targets for threat actors interested in obtaining intellectual property. In addition to being more difficult to secure than heavily regulated finance or healthcare organizations, universities are known to develop cutting-edge research and can attract global researchers and students,” they said.
According to Secureworks, many of the fake domains were registered between May and August this year and many of them resolved to the same IP address and DNS name server, indicating that the campaign was orchestrated by a single hacker group which is probably close to the Iranian government.
“The targeting of online academic resources is similar to previous cyber operations by COBALT DICKENS, a threat group associated with the Iranian government. In those operations, which also shared infrastructure with the August attacks, the threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems,” it revealed.
NCSC warned about Iranian hackers too
This isn’t the first time that we have heard about Iranian hackers targeting universities, principally to get their hands on intellectual property secrets. In March, the National Cyber Security Centre said that the Mabna Institute based in Iran was targeting universities in the UK primarily for the purposes of intellectual property theft.
In a press release, NCSC said that it “assesses with high confidence that the Mabna Institute are almost certainly responsible for a multi-year Computer Network Exploitation (CNE) campaign targeting universities in the UK, the US, as well as other Western nations, primarily for the purposes of intellectual property (IP) theft.”
“The UK Government judges that the Mabna Institute based in Iran was responsible for a hacking campaign targeting universities around the world. By stealing intellectual property from universities, these hackers attempted to make money and gain technological advantage at our expense,” said Lord Tariq Ahmad, the Foreign Office Minister for Cyber.
“Universities drive forward a lot of the research and development in the UK. Intellectual property takes years of knowhow and costs a lot. If someone can get that very quickly, that’s good for them,” said Carsten Maple, director of cyber security at the University of Warwick to The Times.