Universities and colleges around the world are being targeted by a new phishing campaign, according to fresh research published by RiskIQ.
Among the educational establishments to be hit by the Shadow Academy campaign are Louisiana State University (LSU) in the United States and Oxford, Brighton, and Wolverhampton Universities in the United Kingdom.
RiskIQ researchers got wind of Shadow Academy threat actors’ malicious activity at the beginning of July 2020, when it showed up on their internet intelligence graph.
By tracking the campaign from July to October 2020, researchers uncovered 20 unique targets in Australia, Afghanistan, the UK, and the USA.
According to researchers, the tactics, techniques, and procedures (TTPs) used across the campaign’s attack were “similar” to those deployed by the Mabna Institute, an Iranian company that, according to the FBI, was created for illegally gaining access “to non-Iranian scientific resources through computer intrusions.”
Researchers found that 63% of the universities were targeted with general access or student portal attacks, 37% were targeted with library-themed attacks, and 11% of the universities were hit with attacks themed around financial aid.
LSU, which suffered a student portal domain shadowing attack, was the first target identified by RiskIQ crawl data.
“Domain shadowing intercepts account traffic flowing to existing, registered, and otherwise trustworthy web domains,” wrote researchers.
“First, threat actors steal domain account credentials. They then register unauthorized subdomains to point traffic to malicious servers or, in this case, create phishing pages.”
Researchers discovered that Shadow Academy had hosted similar malicious infrastructure to orchestrate attacks against three other universities.
“RiskIQ’s internet intelligence graph helped unearth a new batch of compromised domains by keying in on the URL structure and date range of registration,” noted researchers.
“Subdomains created from these domains spanned multiple campaign themes, which focused primarily on credential harvesting and financial theft.”
The credential-harvesting URLs detected by researchers were mainly focused on services like Amazon, Instagram, and online banking.
Researchers believe the timing of the campaign’s launch was chosen to coincide with the July release of timelines for on-campus operations by many college campuses.