15 January 2021

Iranian cyberspies took advantage of Christmas to launch spearphishing attacks


Iranian cyberspies took advantage of Christmas to launch spearphishing attacks

A cyber-espionage group thought to be working on behalf of the Iranian government used the recent Christmas holidays to launch a mobile phishing campaign directed against targets in the Persian Gulf, Europe, and the U.S., including think tanks, political research organizations, professors, journalists, and environmental activists.

The hacker group known as Charming Kitten, APT35 or Phosphorous, sent fake text messages from “Google Account Recovery” and fake emails with Christmas content, according to a new report from the cybersecurity team CERFTA focused on tracking down Iranian cyber criminals and state-sponsored hackers.

“The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents. Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect,” the team said.

The hackers focused their attacks on individuals’ online accounts, especially personal emails (Gmail, Yahoo! and Outlook) and business emails (organization and university emails). Once compromising an account using stolen credentials, they would steal sensitive data from their victims.

To compromise targets the group used two methods, one of which involved fake ‘Google Account Recovery’ SMS message ostensibly sent by Google. The message contained a link, which eventually led a user to final phishing domains.

In the second scenario the hackers were sending fake emails with deceptive titles like “Merry Christmas, and sending note/book/photo and others”, which are usually sent by previously hacked emails.

“Our examination shows the hackers have used a mix of services such as ‘script.google.com’ and ‘iplogger.org’ in this campaign in order to create a chain of redirection to obfuscate their hacking operations. Redirection links initially help bypass the security layers in email services, and then provide the attackers more control to redirect the target to the final URL,” the CERFTA researchers explained.

“Charming Kitten has been constantly active in recent months and has executed other attacks at the time of writing this report. In reviewing related activity patterns of Charming Kitten and information about the infrastructure used by this hacking group, we believe the extent and scale of this campaign is significant in comparison with previous activity of Charming Kitten,” they added.

Back to the list

Latest Posts

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

SunCrypt may be an updated version of the QNAPCrypt ransomware.
4 March 2021
Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

The cybercriminals behind the Clop ransomware operation have posted screenshots of files allegedly stolen from Qualys on their leak site.
4 March 2021
CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

Several APT groups are exploiting "at least" the CVE-2021-26855 Microsoft Exchange Server vulnerability as part of ongoing attacks, ESET says.
4 March 2021