A hacking group with links to Iran has targeted some of the UK’s leading universities in an attempt to steal unpublished research and obtain intellectual property.
Researchers from Secureworks Counter Threat Unit (CTU) discovered the scam and believe a group called ‘Colbalt Dickens’ is behind the attack, which targeted multiple universities across the world.
The researchers found more than 300 spoofed websites for 76 universities located in the UK and 13 other countries, including the US, Canada, Israel, China, Australia, Switzerland and Japan.
Victims have been prompted to enter their username and password into a fake login page, before being redirected through to the official university website where they are logged into a valid browsing session.
A number of the spoofed domains reference the university’s online library systems, indicating the attacker’s intention to access academic resources.
Most domains were tied to the same IP address and the vast majority were registered between May and August 2018.
The universities targeted in the attack have not yet been named, but some are reported to be among the Times Higher Education’s list of the UK’s top 50.
A spokesperson for CTU commented on the scam: “Universities are attractive targets for threat actors interested in obtaining intellectual property.
“In addition to being more difficult to secure than heavily regulated finance or healthcare organisations, universities are known to develop cutting-edge research and can attract global researchers and students.”
Spoofed websites are created to trick unsuspecting users into thinking they are on a legitimate site. Criminals will spend a lot of time making the site seem as credible as possible and many sites will appear almost indistinguishable from the real thing.
To determine if the site you are on is legitimate or a well-crafted fake you should:
- Check the URL – Hover your mouse over the URL to check the validity of the web address. To make sure the site you are logged into is safe and secure, you should look for a padlock symbol in the address bar and check that the URL begins with a ‘https://’ or ‘shttp://’.
- Assess the content within the site – Simple spelling mistakes, broken English, grammatical errors or low-resolution images should act as a red flag that you are on a phishing site and should leave immediately.
- Check who owns the website – All domains will have to register their web address so it’s worth doing a WHOIS look up to check who owns the site. If the website has been active for less than a year, or the site is registered to an individual in another country, it may indicate a phishing website.
- Read online reviews – If a site has defrauded people in the past, there’s a good chance that victims will go online to share their experience with others.
- Only use a trusted form of payment – Legitimate sites will always take credit cards as a form of payment or use a portal such as PayPal for online transactions. If the only option provided is a bank transfer, this may indicate you’ve strayed onto a spoofed site.
MetaPhish has been designed to provide the first line of defence against phishing and ransomware attacks. Contact us for further information on how we can help protect your business from this growing threat.