Iranian cyber espionage groups have been linked to a large scale and sophisticated campaign targeting members of the nation’s diaspora and at least one Western based activist. The campaign uses a range of tactics to gain access to targets’ Gmail accounts, with one approach impersonating Gmail’s security measures to circumvent a user’s Two Factor Authentication security. Two Factor Authentication (2FA) has been implemented by a range of service providers to provide an additional level of security to passwords. The system requires users to enter a verification code, sent from the service provider, in addition to their password in order to log on.
The current campaign seeks to circumvent this security provision by sending the target a falsified SMS notification purporting to be from Gmail advising that there was an unexpected attempt to gain access to their account. Gmail and other service providers offer such a service as a notification for potential attempts to access an account illegally, and the system is triggered if the account is attempted to be accessed from a different geographic location or device. Attackers follow their initial notification up with a falsified email, also purporting to be from Gmail, advising that the attempt originated in Iran, and that the target’s password has been compromised. The message includes a link to reset the user’s password, which directs the target to a website appearing to be part of the Gmail network, but under control of the attackers. The target is prompted to enter their password in secure their account, allowing attackers to gain visibility of it. At the same time the target is advised through the site that they will receive an SMS authentication code from Gmail, which the attackers prompt themselves by attempting to log into the target’s account. The target is then prompted to enter the code on the compromised website, which is intercepted by the attackers, and used to gain access to the targeted account.
While definite attribution of such incidents remains problematic, the campaign is associated to cyber espionage groups linked to Iranian interests. As this publication has discussed extensively in the past, Iranian linked cyber-attack and espionage groups have received significant investment and possess disproportionately high capabilities for a nation of its size. This investment has been driven by extensive hostile cyber activity against Iran, which was targeted in the Israeli/US linked Stuxnet campaign in the last decade.
Sophisticated social engineering operations are increasingly being employed in concert with cyber espionage campaigns, with hostile actors seeking to gain targets’ confidence through the imitation of legitimate websites and security processes, as well as exploiting social media networks. A recent example of such attempted exploitation has been identified through a chain of LinkedIn accounts purporting to belong to IT security recruiters. The accounts had been used to link with IT security professionals, likely to gain information on experts in the field, potentially with a view to engaging in hostile cyber activity against them.
We anticipate that such tactics are already in use and are likely to be increasingly used against the corporate sector, with cyber-crime groups aiming to gain an insight to targets’ financial arrangements and corporate espionage groups targeting proprietary corporate information. Any notification of unauthorised access attempts from service providers should be verified before they are acted upon. Likewise caution is advised in accepting connections from unknown individuals on social networks, with cyber-crime groups potentially seeking to identify targets’ relationships with financial advisors or client liaison professionals at financial institutions.