Some of the phishing emails, though, have been sent from temporary Gmail addresses.
A small number of lures have even been sent from what appear to be email accounts at various Turkish universities.
The names of these personas have evolved over time; however, the group has used the personas "Sarah Miller" and "Susan Jackson" frequently in recent campaigns. The URLs associated with the phishing pages closely mirror the full legitimate URL path of the account login page for the target university library.
Outside the correction of a few minor spelling errors, the content of the phishing lures has remained incredibly consistent.For example, a recent campaign targeting an Australian university used the persona "Jonathon Dixon," while the persona identity "Shinsuke Hamada" was previously used in an email lure targeting a Japanese school. The group has used domains on other TLDs, though rather sparingly. The actors likely scrape the original HTML source code from the legitimate library login page, then edit the references to resources used to render the webpage (images, Java Script, CSS, etc.) to point back to the original page, a common tactic among (right).Like the overall content of their lures, the subject lines of Silent Librarian phishing emails have remained consistent over time. Some of the other recent TLDs associated with Silent Librarian domains include . At the beginning of 2017, Silent Librarian began to regularly obtain free Let's Encrypt SSL certificates for their phishing pages.The details of the phishing attacks identified by Phish Labs give a broader sense of the overall threat posed by this group when read alongside the crimes outlined in the indictment.While the indictment details the finely-crafted spear phishing campaigns targeting university professors, the attacks tracked by Phish Labs also involved the general targeting of university students and faculty to collect credentials for the victims' university library accounts.