Google: watch out for this Iranian threat actor


Google says its threat analysis group of cybersecurity researchers is tracking new activity by an Iranian hacking group that is using novel techniques to steal credentials from high-value targets in government and other related sectors.

In a new blog, Google says it sent over 50,000 security alerts to its customers this year, an increase of nearly a third it attributes to government-backed actions by Russia and Iran. However, the company has singled out one Iranian threat actor it calls APT35.

Google calls APT35 an Iranian hacker group that uses phishing campaigns to target high-risk users in rival countries. A notable example was the targeted approach to campaign workers during the US 2020 election cycle.

“For years this group has hijacked accounts, used malware and used novel techniques to conduct espionage in line with the interests of the Iranian government,” Google’s TAG said on a blog.

Other actions the group took this year include compromising a UK university website that hosted a phishing kit. The group sent email messages with links to this website to collect credentials for services like Gmail, Hotmail and Yahoo! and asked users to activate an invitation to a fake webinar by logging in.

Continue reading: The US government takes nation-state cybercrime seriously

According to Google, the hackers tried to bypass multi-factor authentication methods by making the phishing kit ask for second-factor authentication codes sent to devices.

Credential phishing through a compromised website shows how far the attackers will go to appear legitimate, says Google’s security team.

The threat actors also attempted to upload a spyware app disguised as a VPN to the Google Play Store that could steal data from smartphones, including call logs, texts, contacts and location data. However, Google detected and removed the app before users installed it.

APT35 also poses as senior conference officials trying to convince users to respond. After the first response, attackers send phishing links.

The group also uses Telegram for operator notifications and embeds Javascript in phishing pages that notify them when the page has loaded. To send notifications, according to Google, the attackers use the sendMessage function of the Telegram API, which allows anyone to use a Telegram so as not to send a message to a public channel.

“The attackers use this feature to forward device-based data to the channel so that they can see details such as IP, user agent and location of the visitors to their phishing sites in real time,” says Google. “We reported the bot to Telegram and they have taken action to remove it.”

Users are strongly advised to enable multi-factor authentication and sign up for Google’s advanced protection program.

Source link


About Author

Leave A Reply