Date Of Publication:2020-02-16 Click-Through Rate:14
Iranian hackers may have pretended to be a prominent reporter to trick victims into handing over their passwords, according to security researchers.
In November, hackers sent out interview request emails that appeared to come from Farnaz Fassihi, formerly of the Wall Street Journal and now at the New York Times. However, the emails were actually designed to phish the login credentials of the victims' email accounts, according to Certfa Lab, which focuses on Iranian hacking activities.
"In the first step of the fake interview, emails were sent from farnaz.fassihi [at] gmail [dot] com to gain the victims' trust," Certfa Lab said in report on Wednesday. "After communication and relative trust are established through the initial email, hackers send their victim an exclusive link as a file that contains the interview questions."
Clicking on the exclusive link will load up a fake Wall Street Journal page hosted on Google Sites. A "download" button on the page will then bring up a second page, at the domain "two-step-checkup[.]site," which has been designed to look like Google's official login page. However, the login window is a fake and designed to record the victims' passwords and two-factor authentication codes for their Google account, which is sent to the hackers, according to Certfa Lab.
Mention of the Journal likely raised some flags as a quick Google search would reveal that Fassihi has been with the Times since June 2019. But as Iranian-born German academic Erfan Kasraie, who received the email, tells Reuters, he also found odd because it was written more like a fan letter. "Needless to say, this interview is a great honor for me personally," the fake email says at one point.
On Twitter, Fassihi writes that the scheme is an example of the "threats we journalists face for doing our jobs."
Certfa Labs suspects a notorious Iranian hacking group dubbed "Charming Kitten" was behind the phishing attack. It points to how the "two-step-checkup[.]site" is configured; the domain was run from two servers that've previously been used to operate other phishing websites tied to the Iranian hacking group.
Certfa Labs is warning that the suspected Iranian hackers have also been using interview requests at CNN and German broadcaster Deutsche Welle to prey on other targets. "The main focus of this phishing campaign was stealing email account information of the victims, and finding information about their contacts/networks," the team of experts added.
To avoid getting phished, look up the senders' contact information on their official websites and call them or reach out to them with a new message, rather than directly replying to the original email.
Next: The Phone From Pablo
Last: Developers Can Now S