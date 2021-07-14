A group of criminals with direct links to the Iranian government has created a sophisticated phishing scam to deceive academics around the world and steal messages deemed of interest. The scam, dubbed SpoofedScholers, was reported in detail by Proofpoint and involved the use of a compromised page and a series of fake websites that were used to compromise the security of researchers.

The TA453 cybercriminals (also known as Charming Kitten and Phosphorus) posed as members of the University of London’s School of Oriental and African Studies (SOAS) in approaching the targets. Using a compromised website at the institution, they contacted Middle Eastern scholars and journalists specializing in the field, inviting them to participate in a conference entitled “The Security Challenges in the Middle East”.

According to Proofpoint, invitations were not made on the first contact: before it appeared, long conversations were established to gain the victims’ trust. As soon as this happened, cybercriminals sent a registration link linked to the compromised website, which was configured to steal a series of credentials.

“It’s important to point out that TA453 also targeted the personal email accounts of at least one of its targets,” explains the security company. “In subsequent phishing emails, TA453 changed tactics and began providing the registration link at the beginning of its engagement with the target, without requiring an extensive conversation.”

Hackers continue to evolve and adapt

In addition to the compromised SOAS page, the group also created fake login pages for services such as Gmail, iCloud and Yahoo to trick their victims. The cybercriminals’ intent was to use the login information collected to gain access to emails and other sensitive documents in an intelligence-gathering action.

Proofpoint says it believes the action has a direct connection with the Islamic Revolutionary Guard Corps (IRGC), the arm of the Iranian armed forces, due to its similarities to other attacks carried out in the past. According to the company, this is one of the most sophisticated operations of the TA453 it has registered so far.

It is unknown whether cybercriminals succeeded in their actions, and the compromised website was fixed as soon as those responsible for it were notified of the problem. “To be clear, the SOAS academic team, of course, has no involvement in this process, nor has any action or statement by the SOAS team caused them to be falsified in this way,” the institution assured in a statement sent to ZDNet.

According to Proofpoint, the TA453 continues to iterate and innovate in its actions with the intention of providing data that support the actions of the IRGC. She warns that scholars, journalists and members of think tanks specialists in the Middle East will continue to be targets of the group and should be careful with the identity of individuals who promise opportunities in exchange for recording their personal data.