WASHINGTON - Civil society activists in the Iranian diaspora community are being targeted with an elaborate and sophisticated phishing campaign designed to steal their email communications and contacts, a group of Canada-based researchers contends in a new report.
The report, titled "London Calling," details a multi-layered, real-time phishing campaign that uses a cybersecurity technique known as “two-factor authorization” – often employed to bolster online security – to trick its targets.
“Two-factor authorization is a fantastic security tool that everyone should use,” says John Scott-Railton, a senior researcher at Citizen Lab, an interdisciplinary center at the Munk School of Global Affairs at the University of Toronto and co-author of the report along with Katie Kleemola.
“It basically involves asking Google or another provider to send you a text message when you try to log in to your account; it’s another layer of protection.”
“What these hackers have done is created an elaborate deception to trick targets into giving both their passwords and their messages, generated by the text verification via Gmail,” Scott-Railton said.
The ploy basically worked like this: A target would receive an early-morning phone call, usually from London. The caller, pretending to be a trusted source, would inform the target that he or she would soon receive a Google document, which would arrive almost instantly at the target’s Gmail account.
“So before you’re fully awake, you get something that looks legitimate,” Scott-Railton told VOA. “But what you’re actually looking at is a fake Web page controlled by the attackers.”
When the target enters a password, the attackers controlling the fake Google page see it instantly and then log in to the target’s real Gmail account themselves. Targets using two-factor authorization would then receive a legitimate text message from Google with a code they had to enter to complete logging in – just like usual.
Scott-Railton said the attackers, working in real time, would then show the target a second fake page asking for the code. The target, seeing everything looked legitimate, would enter it. The attackers would again immediately see the code and enter it into the real Google themselves, thus seizing full control of the target’s Gmail account.
“Once in, this attack gives immediate access to [the target’s] email. So imagine if you’re working on sensitive topics and secret contacts: This gives the attackers access, putting everyone you’ve been in contact with at risk,” Scott-Railton said.
The authors say an unknown number of Iranians living in the West have been targeted. Many of the targets who spoke with the researchers requested anonymity.
One non-Iranian target who agreed to come forward is longtime cyber-rights activist Jillian York, director for international freedom of expression at the Electronic Frontier Foundation based in San Francisco.
“I was visiting a friend in Sarajevo, and was awoken by a phone call at 9:30 a.m.,” York told VOA via email. “The person calling claimed to be a journalist and, in my sleepy state, asked if he could please email me before we hung up.”
York said he called back less than five minutes later to make sure she had seen the email, which raised her suspicion.
“First, because that's odd behavior for a journalist, and second because the email was a Google Doc request from a generic-sounding Reuters email address, and ‘Reuters’ was misspelled in the body of the message.”
York said it wasn’t clear why she was targeted, but added she does know many Iranians active in “the digital rights scene.”
The report details a chain of Web domain purchases, routing patterns and other digital fingerprints to conclude the attackers are likely based within Iran.
“It’s very labor intensive to create this deception,” said Scott-Railton. “There has to be someone making the phone calls. There has to be a custom website. That’s a lot more effort than most phishing campaigns, so for that reason we think these attacks were highly targeted.”
As with many other less sophisticated phishing schemes, both York and Scott-Railton argue the best defense is to go slow and think critically.
“Always, always check and double check before opening attachments,” York wrote. “If you know the sender, confirm with them via another channel – phone, SMS, instant messenger, etc. – that they've sent you an attachment. If you don't know the person, don't open it.”
Citizen Lab’s Scott-Railton says that, perhaps paradoxically, the hacker’s use of two-factor authorization as a ploy actually confirms its usefulness.
“It’s forcing the attackers to make a much more elaborate deception, creating more chances for them to slip up and more opportunities for your critical thinking to kick in and say, ‘Wait, this feels wrong, something’s not quite right here.’”