We have been alerted to the activities of a politically-motivated phishing “crew” targeting (amongst others) the Higher Education sector with particular reference to academics with interests in Russia and Ukraine.
The attacks look to be targeted to specific individuals with reconnaissance being carried out in advance using social media (specifically LinkedIn) or other public information (OSINT). The attacker will then create email accounts at consumer email providers with email addresses configured to resemble known contacts.
The attacker will then contact the target very often with an initially benign email before mentioning a missing attachment (with a topic of interest). A reply will result in a “weaponized” email being sent which may consist of the following forms :-
- A website link to malicious content.
- An attached PDF with a website link to malicious content.
- A link to a Microsoft OneDrive share containing a PDF with a website link to malicious content.
The website link is usually a link to a credentials acquisition site – i.e. it will capture usernames and passwords. And then will show some innocuous (and relevant) information.
To defend against such attacks :-
- If you are working, turn on the GlobalProtect VPN. There are some additional defences against phishing when you go through the University firewall (which includes the VPN).
- Be suspicious of new contacts – does the email address match previously published email addresses? Does it look like a personal address rather than an academic address?
- Be suspicious of old contacts who exhibit a change – are they using their usual email address? Has the tone of their language changed?