State-sponsors hackers have been in the news for quite a while. With former NSA contractor, Edward Snowden exposed NSA’s Prism operation in 2012, basically a global espionage. The Lazarus group allegedly connected with North Korean regime, accused of being responsible for the Sony Pictures of America data breach of 2014 and WannaCry ransomware attacks of 2017. The alleged involvement of Huawei as part of China’s espionage agent and so on and so forth. State sponsored hacking and data mining has been there, promoting the interest of a nation and government they serve.
The latest news about state sponsored hacking has something to do with Iran, with Certfa (Computer Emergency Response Team in Farsi), a cybersecurity firm accusing Iran-sponsored entity of generating many phishing attempts against U.S. targets. Certfa’s official blog titled: ‘The Return Of The Charming Kitten’ details their expose.
“In early October 2018, MD0ugh, a Twitter user1, revealed phishing attacks of a group of Iranian hackers against US financial institution infrastructure. According to this user, these attacks could possibly be a reaction to new sanctions against Iran. The account mentioned a domain with the address accounts[-]support[.]services for the first time. This domain is linked to a group of hackers who are supported by the Iranian government, and that we believe have close ties with the Islamic Revolutionary Guard Corps (IRGC). A month after these attacks, the administrators of accounts-support[.]services expanded their activities and started targeting civil and human rights activists, political figures and also Iranian and Western journalists,” explained Certfa Lab.
Phishing attacks are the primary ways to extract information from unsuspecting users as well as for a method for 3rd parties to gain access to a system that they don’t have. Victims are also at risk of being subjected to identity theft, which can further damage their names at the later time, as the identity theft uses their information for fraudulent transactions.
“We also noticed that, unlike in previous phishing campaigns, in some cases the hackers did not change the password of their victims’ accounts in these latest attacks. This allows them to remain undetected and monitor a victim’s communications via their email in real time,” added Certfa Lab.
As per initial checks, the target victim will receive very convincing fake emails regarding their Gmail account. Such emails contain links to innocent-looking Google drive page, which turns-out as just a clone of the original. The victim’s browser is hijacked earlier in order to show that Google drive is actually accessed, complete with a green padlock showing the page is legitimately encrypted.
“By creating websites with the same design and look of Google Drive file sharing page, hackers pretend to be sharing a file with the user, which they should download and run it on their devices. They use hacked Twitter, Facebook and Telegram accounts to send these links and target new users. The truth is there is not any file and the hackers use this page to direct their targets to the fake Google login page, which the users enter their credential details including 2 factor authentication,” concluded Certfa Lab.
Iranian’s Foreign Ministry has not yet made any comment about the allegations at the time of this writing.