Possible Phishing Campaign Against Academic Institutions

On 26 and 27 April 15, multiple colleagues from my department received a phishing email from legitimate, but likely compromised emails from Indian-based academic institutions. The objective was likely an attempt at stealing email credentials from the target.

Introduction

On 26 and 27 April 15, multiple colleagues from my department received a phishing email from legitimate, but likely compromised emails from Indian-based academic institutions. The objective was likely an attempt at stealing email credentials from the target.

Analysis

The details of the one of the email received are included below:

The email was sent with “Low Importance”, probably as a way to attract additional attention as some people often ignore the “Urgent” flag, since they receive so many of them. Emails with the “Low Importance” flag and icon are more uncommon. Because users don’t see low importance emails often, they tend to open it before the urgent ones.

While the message was caught as SPAM by Symantec, this is clearly more than an attempt at SPAM and attempts to lure the target to a ContactMe page in order to receive an upgrade to their webmail applications. The “Contact Me” page requests information about the user and its credentials. Of note, many of the characters on the page are accentuated for some reason – possibly as to bypass restrictions of the service:

Phishing ContactMe webpage send to my email account.
Phishing ContactMe webpage send to my email account.

Once the target filled the information and click “Send Message”, a thank you note is displayed. The use of the ContactMe website prevents the operator from having to stand up a web server and buy/register a domain, which leaves a lot of traces but ultimately may look more convincing, as it will not have any content restrictions.

The sender’s email is pprusti@immt.res.in, which based on the suffix, is an email from the Institute of Minerals and Materials Technology, an advanced research institute in the field of mineralogy to materials engineering, established in Bhubaneswar, Odisha. A contact page on the website links the email address to Ms. Pallishree Prusti, from the Mineral Department. Therefore, this is a legitimate email address, which more than likely has been compromised.

Email of Ms. Pallishree Prusti from the Website of the IMMT
Email of Ms. Pallishree Prusti from the Website of the IMMT

Similar emails from a different sender, systemadmin.net@muhas.ac.tz, was reported as well. This time, this email is associated with the Muhimbili University of Health and Allied Sciences (MUHAS)in Tanzania.

In this operation, emails targeted were academic addresses. It appears that the operator may be targeting academic personnel by sending fake email upgrade notifications. It is unclear were the adversarial operator found the target email addresses. While ths operations does not appears advanced or sophisticated in any kind, it is very targeted. The adversary in this case may only be some student phishing for papers he can sell online or use for his own degree.

Indicators (for signatures)

  • http://www.contactme.com/553d4f488ed40c000300bde2

Conclusion

This phishing email may just be another one amongst many others and does not appear to be from a highly skilled operators. While the campaign appears targeted at academic institutions, it does not appear to target a specific field of activity. If you have encounter this email, please leave a comment with some information that would help determine if this specific operation is targeted or just another large campaign from a criminal group or a botnet.

1 thought on “Possible Phishing Campaign Against Academic Institutions”

Leave a Reply

Your email address will not be published. Required fields are marked *