Researchers have linked a sophisticated hacking scheme targeting Iranian dissidents back to Iran.
A report released Thursday by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs describes how the hackers used text message and phone-based phishing to try to get around the security of Google’s Gmail and access the accounts of their targets.
The attacks studied by the Citizen Lab were very similar to others connected to Iranian hackers, the report says.
According to the report, some of the attacks began when the targets received text messages that appeared to be from Google saying that there had been an unauthorized attempt to access their Gmail accounts.
The hackers would then follow up with a carefully crafted email notification containing personal details and stating that the login attempt had been from “The Iran,” boosting the fears of people already worried about Iranian hackers.
The emails contained links directing the target to a page where they could reset their password. But in fact, the links were to phishing sites designed to collect the target’s password. The hackers would then, in real time, use the password to login to the user’s account and trigger the sending of an identification code to the target.
Gmail uses the code as a form of two-factor authentication, which adds a second layer of security on top of a person’s password. The hackers would then wait for the target to enter the code, collect it through the fraudulent website, and then use it to take control of the account.
In other cases, the targets were contacted by phone by a person speaking English or Farsi, the predominate language in Iran, who would make a “proposal” related to the target’s business activities. The fake proposal, usually promising thousands of dollars, would then be sent to the target’s Gmail in the form of an email containing a fake Google Drive link.
When the target clicked on the drive, they would be prompted to login with the Google credentials and ultimately the two-factor identification code, just like in the cases of the text messages.
While attempts to circumvent two-factor authentication security are nothing new when it comes to financial fraud-related hackings, the practice is fairly new to politically motivated attacks.
“It may be that, as a growing number of potential targets have begun using two-factor authentication on their email accounts out of a concern for their security, politically motivated attackers are borrowing from a playbook that financial criminals have written over the past decade,” the report reads.
The report emphasizes that these kinds of attacks are increasing, boosting the importance of two-factor authentication.
It notes that in the case of these hackers, the existence of the code significantly increased the amount of work required. The hackers were forced to actively monitor the phishing site and enter the information they collected in real time in order to take control of the accounts.
Without the existence of the code, the hackers could have just collected passwords through the fake website at their leisure, the report says.