Iranian Phishers Use Journalist’s Identity to Steal Info

Security researchers have discovered a new phishing campaign from Iranian state-linked hackers which uses the lure of an interview with a noted journalist to trick recipients into clicking.

The latest operation is the work of the Charming Kitten group, which was identified by London security vendor Certfa through the servers and settings it used in previous attacks, alongside other techniques.

It’s primarily designed to harvest email account info from journalists and political and human rights activists, as well as information about their contacts and networks.

The campaign is notable for spoofing the identity of a former Wall Street Journal writer, Farnaz Fassihi, to set up a non-existent interview with the recipient. However, the phishers made a glaring mistake: Fassihi is now at the New York Times, rendering the WSJ masthead on the email more than a little incongruous. The email also comes from a Gmail account.

The attackers use shortened links to legitimate sources in the footnotes of the email, enabling them to gain valuable basic information about the victim’s device, including IP address, type of operating system and browser.

“After communication and relative trust are established through the initial email, hackers send their victim an exclusive link as a file that contains the interview questions. According to our samples, Charming Kitten has been using a page that is hosted on Google Sites,” Certfa explained.

“This method is a relatively new tactic that has been widely used in phishing attacks by hackers in the past year in order to make the targets trust the destination domain. After clicking the download button on the Google Site page the target is sent to another fake page in two-step-checkup site domain where login credential details of his/her email such as the password and two-factor authentication (2FA) code are requested by phishing kits.”

The researchers also uncovered a new piece of backdoor malware, pdfreader.exe, which changes Windows’ Firewall and Registry settings to run automatically, gather device information and run new malware remotely on the machine.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

What’s Hot on Infosecurity Magazine?