Unidentified actors believed to be linked to the government of Iran are using sophisticated attacks on Google’s two-factor authentication technology to break into the e-mail accounts of individuals within the country and in the Iranian diaspora, according to a report on Thursday from Citizen Lab. The attacks on part of a sophisticated operation that includes in-depth research on potential targets, including at least one prominent researcher affiliated with the Electronic Frontier Foundation. The attacks combine sophisticated phishing attacks, customized malware and even phone solicitations in an effort to lure targets into divulging both their e-mail password and one time passwords used to secure those accounts.
The Citizen Lab report, by John Scott-Railton and Kate Kleemola, says that an analysis of the recent attacks suggests links to “Iranian threat actors” and says the group has “documented a growing number of these attacks” and has reports that they are going on both within Iran and outside the country. FTC Commissioner Julie Brill will speak at the Sept. 10th Security of Things Forum in Cambridge, MA. Click the image to reserve your place! FTC Commissioner Julie Brill will speak at the Sept. 10th Security of Things Forum in Cambridge, MA. Click the image to reserve your place!
Citizen Lab notes that sophisticated phishing campaigns – including against Gmail accounts – are nothing new. In recent years, hackers with links to the Iranian regime have been fingered for attacks on certificate authorities like the Dutch firm Diginotar. The goal of those hacks was to make off with SSL certificates for prominent firms, including Google, that could be used to conduct surreptitious “man in the middle” campaigns in which the Iranian government intercepted and monitored email traffic to and from Google’s servers.
But the report says that these attacks take the campaign to a new level by trying to defeat two factor authentication features that many web mail users have adopted as an added security measure in recent years.
“The rise in use of 2FA by users of free online services may be leading other categories of attackers, such as political attackers, to begin developing their own versions of these attacks,” Citizen Lab notes.
In the case of the Iran-linked attacks, the attackers tried a variety of methods to trick Gmail users into divulging their password in addition to the secure one time code generated by Google’s two factor authentication feature using so-called “real time” attacks.
Targets were sent legitimate seeming SMS messages from Google and phishing e-mails specific to the recipient and designed to look like official notifications from Google warning of an attempt to sign into the user’s account. Ironically, the phony warnings mentioned attempts to log in from “The Iran.”
The real time attacks relied on phishing pages controlled by the attackers that would capture both the user’s password and one time passcode, which were then used by the attackers to access their account.
Other attacks relied on more personal means: phone calls from would-be business partners or journalists to targets. In each case, the caller evinced an in-depth knowledge of the target’s background, activities and interests. Those calls were likewise followed by e-mail messages containing malicious attachments or links to phishing web sites.
In at least one case, Jillian York, a researcher for the Electronic Frontier Foundation reported a string of 30 phone calls from a would be attacker urging her to open a suspicious attachment, as well as coordinated attacks on her Facebook page, which was likewise protected using two factor authentication.
Details from the attack, including WHOIS information from spoofed web domains and fake e-mail addresses link the attacks to other APT-style attacks with links to Iran, including “Operation Saffron Rose,” a campaign associated with a group dubbed Ajax Security Team.
Citizen Lab said that the attacks underscore the difficulty that two factor authentication poses for would be attackers who are intent on account takeovers. The organization recommends that users concerned about security implement 2FA on as many accounts as will support it. It also recommended scrutinizing any official messages purporting to be from mail or application providers, verifying that the domain is using secure HTTP with a valid domain certificate.