Inquiry Posing Interview Questions Designed to Steal Credentials
In a recently discovered phishing campaign, hackers attempted to steal victims’ passwords and credentials by posing as a former Wall Street Journal reporter and sending documents with potential interview questions, according to London-based security firm Certfa Lab.
The campaign, which started in November 2019 and appears to be ongoing, was created to target prominent Iranian figures, including Iranian-born German academic Erfan Kasraie, according to Certfa’s report released Wednesday.
Certfa analysts believe that the advanced persistent threat group Charming Kitten, which is believed to have ties to Iran, is responsible for these phishing emails. The group, also known as APT35, Phosphorous and Ajax Security Team, has been targeting journalists, activists and other victims throughout the Middle East and beyond since at least 2013, according to a federal lawsuit that Microsoft filed against the group in 2019 (see: Microsoft Takes Control of 99 Websites From APT Group)
Over the years, Certfa researchers have tracked phishing and credential-stealing campaigns associated with Charming Kitten, including a 2018 incident in which threat actors attempted to target U.S. Treasury officials as well as others when the U.S. imposed new sanctions against Iran, according to the Associated Press.
“Our findings show that these new attacks by Charming Kitten are focused on stealing email account information of the victims and finding information about their contacts [and] networks,” Certfa researchers note in their new report. The study, however, does not say whether the phishing emails that targeted Kasraie and others were successful in compromising their passwords and other credentials, and a spokesperson for Certfa says that the campaign has not been successful, although not all victims may have come forward yet.
As part of the new campaign, hackers attempted to target several prominent Iranian expatriates by posing as Iranian-American journalist Farnaz Fassihi, a former Wall Street Journal reporter who covered the Middle East who now works at The New York Times, according to Certfa researchers.
The phishing emails are designed so they fraudulently appear to originate from the personal Gmail account of Fassihi to help lure victims into responding, the researchers add.
One of the tipoffs that these emails were phishing lures is that Fassihi recently moved to the New York Times and wouldn’t be seeking interviews with subjects for the Journal, according to the report. Kasraie was one of the recipients of these phishing messages.
Hackers embed social media links in the email messages to legitimate Journal and Dow Jones websites using a URL shortener. If the target of the email clicks on the link, they are directed to the news sites. In the background, however, the hackers start to obtain information about the victim’s device, such as IP address, the type of operating systems it uses as well as details from the browser history, according to the Certfa report.
Phishing email using Wall Street Journal logo (Source: Certfa)
Once the attackers establish a level of trust with the victims using that initial mail, they then proceed to send a second message with a link to a page hosted on the cloud-based Google Sites platform that contains the interview questions as well as a Journal logo, according to the report.
“According to our samples, the Charming Kitten [group] has been using a page that is hosted on Google Sites,” according to the researchers. “This method is a relatively new tactic that has been widely used in phishing attacks by hackers in the past year in order to make the targets trust the destination domain. … By using this tactic, the hacker can evade the spam detections.”
If a victim clicks on the link for the interview questions, they are redirected to another fake page where they are asked for login credentials, including their password as well as a two-factor authentication code that is part of this phishing kit sent by the attackers, the report says. The attackers then are able to collect additional details through that SMS message.
In the final stage of the phishing attacks, the hackers attempt to deploy malware that acts as a backdoor, according to the report. The malware alters Windows’ firewall and registry settings to allow the attackers to gather information from the infected device or deploy other malicious code, the researchers found.
The Certfa researchers categorized the strain as “a mid-level piece of malware” with “lack of design sophistication.” When analysts examined the code, however, they found similarities between the backdoor and other malicious tools associated with previous Charming Kitten campaigns.
“This new series of phishing attacks by the Charming Kitten are in line with previous activities seen from their group,” the study finds. “Some of these servers and domains are related to the recent attacks and some occurred during the second half of 2019.”
Charming Kitten Connections
In the past, Charming Kitten has used similar tactics to target private and government institutions, think tanks and academic institutions across the world.
In October 2019, a report by Microsoft found that Charming Kitten targeted email accounts associated with the Trump 2020 presidential campaign as well as current and former U.S. government officials, journalists covering global politics and prominent Iranians expats (see: Microsoft: Iran-Backed Group Targeted a Presidential Campaign)