Security researchers have discovered a spear-phishing campaign which uses a compromised Russian spear-fishing site to host an information-stealing Outlook page.
Messaging security company Proofpoint spotted the irony-laden attack, which was targeted at recipients in several universities, according to a blog post.
“The payload was a very realistic looking form that could easily trick unsuspecting students, faculty, or staff at the targeted organizations into providing their Outlook Web Access credentials, which frequently double as their domain and other logins,” Proofpoint explained.
“An attacker who spears even a single user would gain valuable access to email addresses, inbox contents, calendaring and potentially other services that would enable them to move laterally within the targeted university to higher value resources, such as financial and health care records, research data and other prizes.”
Quite why the attackers chose to host the credential-stealing Outlook Web Access page on a compromised spear-fishing site is unclear – after all, there's always a chance it was simply a coincidence.
However, the effects of falling for the bait would be the same, unwittingly allowing a targeted attack to covertly infiltrate the organization and steal valuable data.
Tertiary education institutions are particularly at risk from such attacks, according to Proofpoint.
“Universities are a rich repository of user and research data, with a fluid student body and a user base that demands openness and access,” it explained.
Spear-phishing is probably the most common method used by hackers to begin APTs and targeted attacks.
FireEye’s Regional Advanced Threat Report for 1H 2014 analysed data from its cloud based intelligence network to reveal that APT-style attacks doubled across EMEA from a little over 10% in January to almost 20% in June 2014.
Backing up these claims, Proofpoint revealed last September that unsolicited emails in UK inboxes are three times as likely to contain malicious URLs as those in the US.
Spear-phishing isn’t the only tool in the APT attacker’s arsenal, however, with watering-hole attacks also a popular method of compromising victims in the first stage of a campaign.