On Tuesday, U.K.-based Iranian activist Nariman Gharib tweeted redacted screenshots of a phishing link sent to him via a WhatsApp message.
“Do not click on suspicious links,” Gharib warned. The activist, who is following the digital side of the Iranian protests from afar, said the campaign targeted people involved in Iran-related activities, such as himself.
This hacking campaign comes as Iran grapples with the longest nationwide internet shutdown in its history, as anti-government protests — and violent crackdowns — rage across the country. Given that Iran and its closest adversaries are highly active in the offensive cyberspace (read: hacking people), we wanted to learn more.
Gharib shared the full phishing link with TechCrunch soon after his post, allowing us to capture a copy of the source code of the phishing web page used in the attack. He also shared a write-up of his findings.
TechCrunch analyzed the source code of the phishing page, and with added input from security researchers, we believe the campaign aimed to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings.
It is unclear, however, if the hackers were government-linked agents, spies, or cybercriminals — or all three.
TechCrunch also identified a way to view a real-time copy of all the victims’ responses saved on the attacker’s server, which was left exposed and accessible without a password. This data revealed dozens of victims who had unwittingly entered their credentials into the phishing site and were subsequently likely hacked.
The list includes a Middle Eastern academic working in national security studies; the boss of an Israeli drone maker; a senior Lebanese cabinet minister; at least one journalist; and people in the United States or with U.S. phone numbers.
TechCrunch is publishing our findings after validating much of Gharib’s report. The phishing site is now down.
Inside the attack chain
... continue reading