Iranian expatriates and American activists are being targeted by an “elaborate phishing campaign” that enables hackers to take control of their Google account, research from Citizen Lab says. Iranian government-backed hackers are believed to be responsible, with researchers connecting this attack campaign with a similar one that coincided with Iran's 2013 presidential election.
The Citizen Lab report published Thursday named Jillian York, director of international freedom of expression at the Electronic Frontier Foundation, as one target of the hacking campaign. York, who has written on the danger of blogging in Iran and on a range of related issues, said someone using a British phone number called her last Friday. The caller had a German accident, York said, and claimed to be a Reuters journalist trying to interview her, at which point she told him to send an email.
The message appeared to be from the news organization’s “Tech Dep” and contained a number of errors, including the misspelling “Reutures.” York and other targets also were asked to follow a link to a phony site asking them to input their user credentials. The hackers would use that information immediately, triggering a text message that claimed to be from Google, saying there had been an unauthorized attempt to access their account, with a verification code attached.
— ESET (@ESET) August 27, 2015
The target would then input that code into the fake website, surrendering complete control of the account. The hack is a rare example of intruders taking control of accounts that rely on two-factor authentication, one of the easiest and most reliable ways for Internet users to protect their accounts online. It’s not clear how many hacks were successful; the report is based on failed attempts.
“There’s no doubt that this comes from Iran’s Revolutionary Guard, which has been very vicious against the free press and free speech,” Omid Memarian, an exiled Iranian journalist and one of the campaign’s targets, told the Associated Press. The attack uses some of the same hallmarks employed by Iranian hackers in 2013. Google’s Security blog reported June 12, 2013 -- just days before the election of Iran's President Hassan Rouhani -- that security software suddenly detected tens of thousands of attacks on Iranian users.
“These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region,” Eric Grosse, Google’s vice president of security engineering, wrote at the time. “The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election.”