Iranian hackers posed as journalist to target victims, security firm says

A fake Wall Street Journal download page designed to steal user information. (Image: Certfa Lab/Handout)

Iranian hackers belonging to an elite cyberwarfare group are targeting victims by posing as legitimate journalists from well-known news outlets, according to a technology firm.

Certfa Lab, a cybersecurity group that focuses on attacks originating from Iran, said evidence it reviewed proves members of the “Charming Kitten” hacking group misappropriated real-world professional identities in order to compromise Yahoo and Gmail accounts of unsuspecting targets.

The exploit uses a common technique known as “phishing” that lures targets to login pages designed to look like those offered by Yahoo and Google. The pages collect usernames and passwords of victims, which can lead to compromised accounts.

Security firms typically encourage users to rely on added security measures, including Two Factor Authentication (TFA), to thwart phishing attempts, but Certfa Lab said Charming Kitten hackers took this into account and also targeted verification codes sent to users who accounts were compromised.

In addition to compromising accounts, Certfa Lab said hackers were focused on learning the human network of their victims in order to “target private and government institutions, think tanks and academic institutions” beyond Iran, including individuals in Europe and the United States.

Charming Kitten hackers have been working diligently on stealing account information since at least mid-2018 when Certfa Lab began documenting their crusades. In recent months, the group began using real-world identities of journalists working with American-based publications as a further attempt to gain the trust of their potential victims, Certfa Lab said in a blog post published Wednesday morning.

In one case specifically cited by the company, hackers assumed the identity of a  female New York Times reporter, sending interview requests to potential targets through a fake Gmail account created to resemble the journalist’s former employer, the Wall Street Journal.

Certfa Lab said social media links in the email’s signature were redirected through services that allowed attackers to gain certain information from targets, including Internet Protocol (IP) addresses and other metadata transmitted through web browsers.

If a target responded to the email, Charming Kitten hackers sent a follow-up message with a link that purported to contain “interview questions.” That link resolved to a Google Sites-hosted webpage where a button redirected users to a page designed to look like a legitimate Google login screen. The fake login screen asked for user credentials as well as TFA tokens sent to a target’s mobile phone.

The fake interview question webpage was unavailable when The Desk attempted to access it via a URL posted by Certfa Lab on Thursday.

Certfa Lab said it appeared similar campaigns were intended to target Microsoft Outlook, Facebook and Instagram accounts as well as journalists working for satellite news channel Sky News.