A recently discovered spear-phishing campaign has been targeting former Israeli officers, high-ranking military personnel, the head of a security think tank and a former U.S. ambassador to Israel.
Detailed today by researchers from Check Point Software Technologies Inc., the attack used custom phishing infrastructure and an array of fake email accounts to impersonate trusted partners, a process known as spear-phishing. To establish further trust, the suspected Iranian hackers performed account takeovers of some victims’ inboxes and then used existing email conversations to facilitate attacks.
The attackers operated a fake URL shortener to disguise their phishing links and legitimate identity service validation.com for the theft of identity documents. The use of a fake URL shortener is notable, with the attackers setting up a seemingly legitimate-looking service. However, using the service required registration and trying to click on “sign up” would ask for an email to be sent.
The phishing pages used in the attack aimed to gain access to the inboxes of victims, specifically Yahoo inboxes — apparently, some people still use Yahoo email accounts in 2022. The phishing pages include several stages, such as asking the user for their account ID followed by an SMS code verification page. The researchers believe that once the victim entered an account ID, the phishing backend server would send a password recovery request to Yahoo with the two-factor authentication code, allowing the attackers to gain access to the victim’s inbox.
The Iranian Phosphorous advanced persistent threat group is believed to be behind the spear-phishing campaign. Code found in one of the phishing pages pointed to a different attack that is known to be linked to Phosphorous. That Israeli officials were targeted is also said to be indicative of an Iranian link, since Iranian state-sponsored hackers regularly target Israel.
Phosphorous has previously been linked to an attempt to break into the re-election campaign for President Donald Trump in October 2019 and a campaign that targeted attendees of the Munich Security Conference in October 2020.
“The Iranian spear-phishing operations are yet another example of how nation-state-sponsored actors are starting to dominate the threat landscape,” Rajiv Pimplaskar, chief executive officer of multipath virtual private network company Dispersive Holdings Inc., told SiliconANGLE. “Such threat actors are often more sophisticated, have a lot more resources, are economically and/or politically motivated and can afford to play a ‘long game’ of ‘steal now, decrypt later.’”
Governments and businesses need to be mindful of the new cyber cold war where nation-state-sponsored attacks are proxy warfare in place of actual conflicts, Pimplaskar added. “Consequently, existing cyber defenses need to be bolstered with enhanced policies, training as well as endpoint and network security protection such as a next-gen VPN to combat the increased threat of nation-state actors,” he said.