In this period there has been a series of phishing attacks targeting the Gmail accounts of users in Iran. The attacks, which are believed to have originated within the country, coincided with the recent presidential election held on 14 June. This relatively simple tactic encouraged its prospective victims to click a link to perform account maintenance, which instead directed users to a fraudulent login page from which their username and password could be stolen. This approach appears to be related to a larger and more sophisticated incident in 2011, where a group of attackers were able to issue fraudulent security certificates, posing as a legitimate Gmail login site, which allowed them to access the email accounts of around 300,000 Iranians.
Though concrete attribution of such attacks is rarely possible, the target, scale, and apparently politically motivated nature of the attack would suggest a state-sponsored entity was responsible. Such an attempt would correspond with previous attempts of the Iranian regime to assert its control over the Internet or to crack down on potential dissenters and activists at times of political turmoil.
Though this recent development does not initially appear to have any security implications beyond Iran, this surge of domestically focused phishing attacks has coincided with a lull in the series of Distributed Denial of Service (DDoS) attacks targeting the US banking system. The attacks, which started in September 2012 and have since targeted 50 financial institutions in over 350 separate incidents, have notably slowed down in the past month, coinciding with the rise of the phishing attacks. This concurrence suggests the existence of a small but dedicated organisation responsible for carrying out cyber attacks on a variety of domestic and international targets of behalf of the state. Although such a conclusion remains somewhat circumstantial, this development would appear to support our earlier assessment that the Iranian state is in some way involved with the attempted disruption of the US financial sector.
In the wake of the election, there remains a possibility the responsible parties will renew their earlier efforts, with the internal political distractions merely providing a brief respite from the prolonged series of DDoS attacks. Despite the US administration’s refusal to intervene directly because of the inevitable inflammation of relations that would accompany such a move, we assess that the prospects for widespread disruption from this particular vector remain limited. The US private sector has effectively managed their own defence and increasingly nullified the attacks, with communication within the industry and the use of commercial providers of DDoS protection integral to their strategy. Although there is currently little indication that UK based institutions will be targeted, it is important to take notice of the success enjoyed by US counterparts in protecting key assets from this threat.
The last fortnight has also seen eight people charged following an extended fraud operation targeting banks and financial institutions in the US. The group was able to gain access to accounts at organisations including Citibank, JP Morgan Chase, and PayPal, transferring funds to secondary accounts and withdrawing cash. Although the specific attack vector is currently unclear – social media appears to be an increasingly popular method – current estimates suggest at least $15 million was stolen in this fashion.
This episode reaffirms our previous assessments that consumer desires for easy access and business imperatives to increasingly shift customers to online banking platforms mean that the institutions involved are likely to continue to recompense those suffering losses, rather than implement more robust security systems. The continuing inability of antivirus software to detect a significant proportion of banking malware (some estimates suggest 70% remains unnoticed) supports the need to take this risk seriously.