Iranian cyberspies behind major Christmas SMS spear-phishing campaign

Christmas tree

Image: Rodion Kutsaev

An Iranian cyber-espionage group known as Charming Kitten (APT35 or Phosphorus) has used the recent winter holiday break to attack targets from all over the world using a very sophisticated spear-phishing campaign that involved not only email attacks but also SMS messages.

Special feature


Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

“Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect,” said CERTFA, a cybersecurity organization specialized in tracking Iranian operations.

“The group started the new round of attacks at a time when most companies, offices, organizations, etc. were either closed or half-closed during Christmas holidays and, as a result, their technical support and IT departments were not able to immediately review, identify, and neutralize these cyber incidents,” it added.

CERTFA said it detected attacks targeting members of think tanks, political research centers, university professors, journalists, and environmental activists.

The victims were located in countries around the Persian Gulf, Europe, and the US.

How an attack unfolded

CERTFA researchers said that this particular campaign exhibited an advanced degree of complexity. Victims received spear-phishing messages from the attackers not only via email but also via SMS, a channel that not many threat actors use on a regular basis.

While the SMS messages posed as Google security alerts, the emails leveraged previously hacked accounts and tried to play on the festive mood with holiday-related lures.

The common denominator in both campaigns was that Charming Kitten operators managed to successfully hide their attacks behind a legitimate Google URL of https://www.google[.]com/url?q=https://script.google.com/xxxx, which would have fooled even the most tech-savvy recipients.

certa-sms.pngcerta-sms.png

Image: CERTFA
certa-email.pngcerta-email.png

Image: CERTFA

But behind the hood, CERTFA said that the legitimate Google URL would end up bouncing the user through different websites and eventually bring him to a phishing page, where they’d be asked for login credentials for personal email services like Gmail, Yahoo, and Outlook, but also business emails.

sms-redirection-stages.jpgsms-redirection-stages.jpg

Image: CERTFA

The CERTFA team noted that this wasn’t the first time that Charming Kitten managed to successfully hide links to spear-phishing websites behind Google URLs.

The company points to a previous report from January 2020, exposing a Charming Kitten operation that abused sites.google.com links.

Leave a Reply

Your email address will not be published. Required fields are marked *