New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Iranian APT 35 Group Posing as Journalist to Phish Victims

IRAN: The Iranian-backed threat group known as APT35 or Charming Kitten has recently used phishing email messages claiming to be a journalist to trick victims. The phishing campaign targets political figures and human rights activists, attempting to lure them into sharing their passwords on fake login pages, according to researchers at Certfa. The lure begins with an email asking for an interview and includes shortened links to real news websites that collect information about the victim’s browser and IP address before redirecting to the news story. After the initial email exchange, the threat group sends a link to a file containing interview questions, hosted on Google Sites to make the link appear safe. The Google Site page redirects the victim to a fake login page hosted on the domain two-step-checkup[.]site. If the victim enters their login information on this page, the attacker will steal their username, password, and two-factor authentication code. This enables the attacker to access the victim’s account and steal sensitive information.

Analyst Notes

It has become more common recently for attackers to use well-known and trusted hosting services such as Google Sites, Google Drive, GitHub, and others to bypass email security filters that might otherwise block messages with links to suspicious sites. It is important to make employees aware to double-check the website address in their web browser before entering any login information because it might not be the same as the link from an email. It is also important to check the claimed identity of the reporter before engaging in a conversation. Reporters typically provide an email address or another way to reach them in articles they publish. Use those contact channels rather than replying directly to an email if anything looks suspicious.
For more information, please see: