Hackers Impersonate Journalists For High Profile Hacks

  • Emails were camouflaged as to originate from the personal Gmail account of Fassihi to decoy victims into responding.
  • The study, however, fails to reveal whether the campaign that targeted Kasraie and others were successful or not.

Researchers from a London-based security firm discovered a phishing campaign that attempts to steal victim’s passwords and credentials. The advanced persistent threat (APT) group Charming Kitten is believed to be the culprit by the researchers responsible for discovering the campaign. The group, also known as APT35, is believed to have ties with the Iranian government.

About the new campaign

The campaign was launched in November 2019 and still ongoing, according to the report by the security firm Certfa Lab.

  • Researchers said the hackers pose as a former Wall Street Journal reporter, also an Iranian-American journalist, Farnaz Fassihi and send documents with potential interview questions.
  • Emails were camouflaged as to originate from the personal Gmail account of Fassihi to decoy victims into responding.
  • It was supposedly created to target eminent Iranian figures, including Iranian-born German academic Erfan Kasraie.

How do they operate?

According to Certfa researchers, their “findings show that these new attacks by Charming Kitten are focused on stealing email account information of the victims and finding information about their contacts [and] networks."

  • When the target clicks on the email link, which has embedded social media links to legitimate Journal and Dow Jones websites, they are redirected to the news sites.
  • The real game begins in the background. Hackers here start obtaining information about the victim's device, including details from the browser history.
  • After establishing a level of trust with the victims, hackers send another message with a link to a page containing the interview questions as well as a journal logo. The page is hosted on the cloud-based Google Sites platform.
  • During the final stage of the attack, the hackers attempt to deploy malware that acts as a backdoor.
  • It alters Windows' firewall and registry settings, allowing the attackers to gather information from the victim’s device.

Analysis of the campaign and connection with Charming Kitten

Researchers claimed, "This method is a relatively new tactic that has been widely used in phishing attacks by hackers in the past year in order to make the targets trust the destination domain. ... By using this tactic, the hacker can evade the spam detections."

The study, however, fails to reveal whether the campaign that targeted Kasraie and others were successful or not in compromising their passwords and other credentials. A spokesperson for Certfa, some potential victims are yet to come forward.

About its link with Charming Kitten, researchers observed a similarity in the way Charming kitten would target private and government institutions, think tanks, and academic institutions across the world.

Moreover, a Microsoft report from October 2019 disclosed that Charming Kitten targeted email accounts associated with the Trump 2020 presidential campaign, as well as current and former U.S. government officials. Also, it made attempts on the journalists covering global politics, and prominent Iranians ex-pats.