That WhatsApp from an Israeli infosec expert could be a Iranian phish – Source: go.theregister.com

The cyber-ops arm of Iran’s Islamic Revolutionary Guard Corps has started a spear-phishing campaign intent on stealing credentials from Israeli journalists, cybersecurity experts, and computer science professors from leading Israeli universities.

This latest phishing expedition, which Check Point Research pins on Iran’s Charming Kitten crew (aka APT42, Mint Sandstorm, and Educated Manticore) began earlier this month, shortly after Israel’s air strikes against Iran.

Charming Kitten employed more than 130 unique domains and numerous subdomains, using one or two for each targeted individual, researcher Sergey Shykevich told The Register.

“This suggests there are likely dozens of intended targets, though the exact number is unclear. It’s important to note that while this indicates targeting activity, we have no visibility into how many of these individuals or organizations were actually victims.”

Check Point has listed the domains used in this campaign, along with other indicators of compromise, in a report published Wednesday.

The Iranian crew uses emails and WhatsApp messages as bait, and disguises them so they appear to come from threat intel analysts at real Israeli cybersecurity firms. In one email, “Sarah Novominski,” a fake analyst at an infosec company, says she’s seeking “initial tips or best practices for securing energy infrastructure against cyberthreats.”

Check Point thinks Iran’s hackers used AI to write phishing messages, but still managed to make mistakes. The email from “Sarah Novominski”, for example, uses different spellings of the name in the email’s text and the account name of its sender.

• Iran cyberattacks against US biz more likely following air strikes
• Iran’s internet goes offline for hours amid claims of ‘enemy abuse’
• Amazon CISO: Iranian hacking crews ‘on high alert’ since Israel attack
• Cyber weapons in the Israel-Iran conflict may hit the US

Another phishing message, this one sent on WhatsApp and also impersonating a cybersecurity employee, suggests a in-person meeting to discuss the “Iranian invasion and 700 percent cyberattack surge since June 12” and a possible AI-powered defense.

Iran has a history of trying to lure Israeli businessmen and academics into in-person meetings using WhatsApp messages and stolen and fake identities, and then using the meetups for kidnapping or intel-gathering purposes. So it’s impossible to rule out “the possibility that this campaign extends beyond cyberspace,” the Check Point report says.

In these types of scams, the initial email or WhatsApp messages don’t contain any direct links to the phony meetings. Instead, the attackers work to gain the victims’ trust through these online interactions and later send a meeting link that leads to the attacker-controlled phishing website.

The phishing sites mimic Gmail login pages or Google Meet invitations. Before sending the phishing link, the attackers ask the victim for their email address, which is then pre-filled on the credential phishing page to make it look more real and mimic the legitimate Google authentication process.

Iran’s cyber-operatives gain access to credentials entered on the phishing pages, which allows them to hoover up passwords and two-factor authentication codes, thus enabling full account takeover of the victims’ accounts. ®