For example, a recent campaign targeting an Australian university used the persona "Jonathon Dixon," while the persona identity "Shinsuke Hamada" was previously used in an email lure targeting a Japanese school. The group has used domains on other TLDs, though rather sparingly. The actors likely scrape the original HTML source code from the legitimate library login page, then edit the references to resources used to render the webpage (images, Java Script, CSS, etc.) to point back to the original page, a common tactic among (right).
Like the overall content of their lures, the subject lines of Silent Librarian phishing emails have remained consistent over time. Some of the other recent TLDs associated with Silent Librarian domains include . At the beginning of 2017, Silent Librarian began to regularly obtain free Let's Encrypt SSL certificates for their phishing pages.
To date, we have identified more than 750 phishing attacks attributed to Silent Librarian dating back to September 2013.
These attacks have targeted more than 300 universities in 22 countries.
Some of the phishing emails, though, have been sent from temporary Gmail addresses.
Spelling and grammar, two of the primary indicators of a malicious email, are nearly perfect.
Body of an email lure sent to an American university in February 2014.
Body of an email lure sent to an Australian university in October 2017.
The names of these personas have evolved over time; however, the group has used the personas "Sarah Miller" and "Susan Jackson" frequently in recent campaigns. The URLs associated with the phishing pages closely mirror the full legitimate URL path of the account login page for the target university library.
The group also changes the names of the personas to match the location of the target university. The content of Silent Librarian phishing pages is almost identical to the legitimate target sites.
Each of the Silent Librarian lures ends with a very realistic looking closing signature containing contact information for the target library.