Bungling Iranian hackers who seem to be low on patience have developed a new scheme for trying to trick targets into granting access to their online accounts, according to a new report from the University of Toronto’s Citizen Lab.
Those targets have included Iranians living around the world and one American who works for the California-based Electronic Frontier Foundation.
Normally, hackers will use a scam called phishing to obtain passwords from their victims. Once they have a password, perpetrators can use it to access victims’ accounts. However, most email and social media sites now permit users to use two-factor identification, which require users to submit a code sent to their cellphone in addition to their password. Typically, that mechanism is sufficient to stop hackers from gaining access to accounts.
More recently, researchers John Railton and Katie Kleemola say Iranian hackers have been trying a technique known as “real-time” two-factor phishing. The hackers would send victims multiple messages through a variety of channels in an effort to obtain both their password and the accompanying authentication code. One example received a fake text message informing them that their Gmail account had been compromised. They subsequently received an official-looking email to the same effect.
The victim was intended to open the fake email, which came from the official-sounding “support.googlemail.com,” click a “password reset” link, and enter their password. The hackers would then enter the information on the user’s authentic account, which would result in the victim receiving an authentication code on their cellphone. Once the intended victim entered the authentication code on the fake form, the hackers would have all the credentials to access the user’s real account.
However, one intended victim stopped after entering a password. “Over the next hour,” the report said, “perhaps growing frustrated, the attackers sent the target a stream of fake SMS [text] messages. These messages purported to be a Google [two-factor] verification code. The target received more than 10 messages in short succession.”
A similar case involved Jillian York, the director for international freedom of expression at the Electronic Frontier Foundation. York, who lives in Germany, reported being awakened one morning by an Iranian man calling her from the United Kingdom. The man said he was from Reuters and needed to send her an email. She subsequently received the email from “Reutures” with a document attached. “The accessibility is exclusive,” the email assured.
York declined to open the attachment, which would have allowed the attacker to access York’s computer. The man called back, York reported, at one point saying, “This is from my personal address! Just open it!” He then called more than 30 times in the following day and attempted to reset her Facebook password multiple times.
The report notes that the scheme isn’t entirely new; common criminals have also tried it over the years. “It may be,” the researchers observe, “that, as a growing number of potential targets have begun using two-factor authentication on their email accounts out of a concern for their security, politically-motivated attackers are borrowing from a playbook that financial criminals have written over the past decade.”
However, they also say that with so much effort involved, it is unlikely to represent a long-term solution for Iran’s hacking needs, writing, “The effort involved suggests that, without serious automation, this attack technique will not scale well.”
