Iranian Hackers Deploy New Spear-Phishing Techniques
The Iranian state-sponsored threat actor known as Charming Kitten employed new spear-phishing methods in a campaign observed in August and September, according to researchers form ClearSky.
The attacks are related to a campaign aimed at disrupting the 2020 US presidential candidate targeting government officials, media targets, and prominent expatriate Iranians which is known to have resulted in four accounts being compromised out of a total of 241 targeted.
“Iran was not known as a country who tends to interfere in elections around the world. From a historical perspective, this type of cyber activity had been attributed mainly to the Russian APT groups,” ClearSky notes in their report.
Charming Kitten, a group also tracked as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, has been, targeting activists and journalists focusing on the Middle East, US organisations, and entities located in Israel, the U.K., Saudi Arabia and Iraq.
As part of the newly observed campaign, ClearSky says, the group used four different spear-phishing methods including password recovery impersonation, spear-phishing emails, and spear-phishing via SMS messages.
- The first impersonation vector used was a message with a link pretending to arrive from Google Drive or from a colleague’s email address. Social engineering is used in an attempt to trick the victim into exposing their login credentials.
- Another vector employed SMS messages containing a link and claiming to inform the recipient of an attempt to compromise their email account. Just as in the previous type of attack, the link directs to a URL shortening service leading to a malicious website attempting to phish for the victim’s credentials.
- A third attack vector employed a fake unauthorised login attempt alert, where the intended victim is informed that a North Korean attacker tried to compromise their Yahoo email address and is asked to secure their account. Previously, the victim was informed that someone from North Korea changed their email recovery options.
- The fourth attack vector employed recently by Charming Kitten was social network impersonation. In an attempt to grab login credentials, the attackers have created fake sites for Instagram, Facebook, Twitter, Google, and the National Iranian-American Council.
Although not new for Charming Kitten, the targeting of Yahoo accounts is something that the group hasn’t done for a couple of years. Since 2017, the hackers focused on Google accounts instead, but it seems they are now back again at targeting Yahoo accounts and impersonating Yahoo services.
You Might Also Read:
US Campaigners Get Trained About Cyber Threats: