A new phishing campaign by the Iranian state-sponsored group known as “Charming Kitten” is using new tactics to trick users out of their passwords and both SMS and app generated two-factor codes. Charming Kitten is tied to the Islamic Revolutionary Guard. This campaign has been ongoing since October 2018. Information on this attack was released on December 18, 2018 by Certfa Lab.
Targets of these attacks are high-ranking individuals in the financial services, government, military, human rights activists, and journalists. In most cases the targeted individuals appear to have been thoroughly researched by the attackers, in order to craft spear-phishing emails more likely to appear authentic.
Emails are coming from realistic looking accounts such as notifications.mailservices@gmail[.]com, noreply.customermails@gmail[.]com, [customer]email-delivery[.]info and other similarly crafted emails.
The phishing emails state that an unauthorized person has tried to access the victim’s account. Links or embedded images in the emails redirect the victim to fake login pages. What is interesting about this campaign is the use of a second page that appears to be a two-factor authentication page. By tricking the victim to enter their 2FA codes, the attackers have a brief time window to enter the 2FA code to access the victim’s actual account, in spite of the use of 2FA.
Domains being used for hosting fake login web pages are using the registered domain accounts-support.services, which appears to be registered to someone in Bagdad, and trusted public web hosting services such as sites.google.com. Often there is a malicious download that is hosted on what appears to be a Google Drive page.
This is a sophisticated state-sponsored attack originating in Iran. If you are working in any of the targeted sectors listed above, check the Certfa Report for a detailed explanation of the indications of compromise (IoC) and tactics, techniques, and procedures (TTP) used by this group. The article includes screenshots of the various emails and webpages, and a list of IP addresses, and domains associated with this campaign. Recommended actions include:
- Stop using 2FA via SMS messaging. This form of 2FA was depreciated in the new NIST password policies.
- Do not use one-tap login options for 2FA.
- Use 2FA apps or security keys such as the YubiKey or Google Titan.
- Activate Google’s Advanced Protection Program.
- Do not use personal email accounts for sensitive information.
- Do not click on links in emails when you can navigate and login to the web account by typing or using a bookmark or favorite.
- Use email encryption
- To not store sensitive emails in your inbox. If your account is hijacked, everything in the inbox can be read by the attacker.
- HTTPS sites are great, but attackers are using them too. HTTPS means the connection is encrypted, but is no proof the website contents are safe.
More information:
Share
JAN
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com