CSARN (City Security and Resilience Networks) reports that Iranian cyber espionage groups have been linked to a large-scale and sophisticated campaign targeting members of the nation’s diaspora and at least one Western-based activist, with the tactics used reflecting the threat to UK businesses posed by social engineering.
The campaign uses a range of tactics to gain access to targets’ Gmail accounts, with one approach impersonating Gmail’s security measures in order to circumvent a user’s two factor authentication security. Two factor authentication has been implemented by a range of service providers to provide an additional level of security for passwords. In order to log on, the system requires users to enter a verification code – sent from the service provider – in addition to their own password.
This process is normally conducted via an SMS or automated phone call. The system is based on the theory that an attacker would have to have access to a target’s SMS messages in order to gain unauthorised access to their account.
The current campaign seeks to circumvent this security provision by sending the target a falsified SMS notification purporting to be from Gmail advising that there was an unexpected attempt to gain access to their account. Gmail and other service providers offer such a service as a notification for potential attempts to access an account illegally, and the system is triggered if the account is attempted to be accessed from a different geographic location or device.
Attackers follow their initial notification up with a falsified e-mail, also purporting to be from Gmail, advising that the attempt originated in Iran, and that the target’s password has been compromised. The message includes a link to reset the user’s password, which directs the target to a website appearing to be part of the Gmail network, but which is under the control of the attackers.
The target is then prompted to enter their password to secure their account, allowing attackers to gain visibility of it. At the same time, the target is advised through the site that they will receive an SMS authentication code from Gmail, which the attackers prompt themselves by attempting to log into the target’s account.
At this point, the target is asked to enter the code on the compromised website. This is duly intercepted by the attackers and used to gain access to the targeted account.
Extensive hostile cyber activity
While definite attribution of such incidents remains problematic, the campaign is associated with cyber espionage groups linked to Iranian interests.
Iranian-linked cyber attack and espionage groups have received significant investment and possess disproportionately high capabilities for a nation of its size. This investment has been driven by extensive hostile cyber activity against Iran, which was targeted in the Israeli/US-linked Stuxnet campaign in the last decade.
Sophisticated social engineering operations are increasingly being employed in concert with cyber espionage campaigns, with hostile actors seeking to gain targets’ confidence through the imitation of legitimate websites and security processes, as well as exploiting social media networks.
A recent example of such attempted exploitation has been identified through a chain of LinkedIn accounts purporting to belong to IT security recruiters. The accounts had been used to link with IT security professionals, likely to gain information on experts in the field, and potentially with a view to engaging in hostile cyber activity against them.
CSARN anticipates that such tactics are already in use and are likely to be increasingly used against the corporate sector, with cyber crime groups aiming to gain an insight to targets’ financial arrangements and corporate espionage groups targeting proprietary corporate information.
“Any notification of unauthorised access attempts from service providers should be verified before they are acted upon,” states CSARN. “Likewise, caution is advised in accepting connections from unknown individuals on social networks, with cyber crime groups potentially seeking to identify targets’ relationships with financial advisors or client liaison professionals at financial institutions.”