“Hostile activity by Iranian-linked group reflects threat from social engineering” warns CSARN

CSARN is warning of the present threat being posed to companies through criminals' social engineering tactics

CSARN is warning of the present threat being posed to companies through criminals’ social engineering tactics

CSARN (City Security and Resilience Networks) reports that Iranian cyber espionage groups have been linked to a large-scale and sophisticated campaign targeting members of the nation’s diaspora and at least one Western-based activist, with the tactics used reflecting the threat to UK businesses posed by social engineering.

The campaign uses a range of tactics to gain access to targets’ Gmail accounts, with one approach impersonating Gmail’s security measures in order to circumvent a user’s two factor authentication security. Two factor authentication has been implemented by a range of service providers to provide an additional level of security for passwords. In order to log on, the system requires users to enter a verification code – sent from the service provider – in addition to their own password.

This process is normally conducted via an SMS or automated phone call. The system is based on the theory that an attacker would have to have access to a target’s SMS messages in order to gain unauthorised access to their account.

The current campaign seeks to circumvent this security provision by sending the target a falsified SMS notification purporting to be from Gmail advising that there was an unexpected attempt to gain access to their account. Gmail and other service providers offer such a service as a notification for potential attempts to access an account illegally, and the system is triggered if the account is attempted to be accessed from a different geographic location or device.

Attackers follow their initial notification up with a falsified e-mail, also purporting to be from Gmail, advising that the attempt originated in Iran, and that the target’s password has been compromised. The message includes a link to reset the user’s password, which directs the target to a website appearing to be part of the Gmail network, but which is under the control of the attackers.

The target is then prompted to enter their password to secure their account, allowing attackers to gain visibility of it. At the same time, the target is advised through the site that they will receive an SMS authentication code from Gmail, which the attackers prompt themselves by attempting to log into the target’s account.

At this point, the target is asked to enter the code on the compromised website. This is duly intercepted by the attackers and used to gain access to the targeted account.

Extensive hostile cyber activity

While definite attribution of such incidents remains problematic, the campaign is associated with cyber espionage groups linked to Iranian interests.

Iranian-linked cyber attack and espionage groups have received significant investment and possess disproportionately high capabilities for a nation of its size. This investment has been driven by extensive hostile cyber activity against Iran, which was targeted in the Israeli/US-linked Stuxnet campaign in the last decade.

Sophisticated social engineering operations are increasingly being employed in concert with cyber espionage campaigns, with hostile actors seeking to gain targets’ confidence through the imitation of legitimate websites and security processes, as well as exploiting social media networks.

A recent example of such attempted exploitation has been identified through a chain of LinkedIn accounts purporting to belong to IT security recruiters. The accounts had been used to link with IT security professionals, likely to gain information on experts in the field, and potentially with a view to engaging in hostile cyber activity against them.

CSARN anticipates that such tactics are already in use and are likely to be increasingly used against the corporate sector, with cyber crime groups aiming to gain an insight to targets’ financial arrangements and corporate espionage groups targeting proprietary corporate information.

“Any notification of unauthorised access attempts from service providers should be verified before they are acted upon,” states CSARN. “Likewise, caution is advised in accepting connections from unknown individuals on social networks, with cyber crime groups potentially seeking to identify targets’ relationships with financial advisors or client liaison professionals at financial institutions.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts