An Iranian APT group has been spotted building a phishing site, using a cybersecurity company which outed it as a lure.
Charming Kitten has been in operation since 2014 and its activities were laid bare in a December report by Israeli security vendor Clearsky Security.
The firm claimed to have found more than 85 IP addresses, 240 malicious domains, hundreds of hosts, multiple fake entities and potentially thousands of victims linked to the group.
In a series of tweets this week, the firm said it had discovered the same group building a phishing site designed to capitalize on interest in the vendor’s findings.
“The fake website is clearskysecurity\.net (the real website is http://clearskysec.com ). They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services,” it said.
“These sign in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate website does not have any sign in option. It seems that the impersonating website is still being built because some of the pages have error messages in them.”
One of the fake pages even displayed content of a previously outed Charming Kitten campaign, according to the firm.
The group is just one of a growing list of Iranian APT groups most likely backed by the government. These include APT34, observed most recently by FireEye back in December targeting governments in the Middle East.
Also notable is the CopyKittens group uncovered by Clearsky and Trend Micro. Dating back to 2013 it’s focused on stealing data from Western and Middle Eastern government, defense and academic organizations via custom and commercial tools.