Attacks/Breaches
6/13/2013
01:41 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Iranians Targeted In Massive Phishing Campaign

Google spotted targeted attacks out of Iran against tens of thousands of Iranians in the run-up to the country's presidential election on Friday

Google says it has detected and derailed several email-based phishing attacks targeting tens of thousands of Iranian users during the past few weeks in what appears to be a politically motivated campaign.

Eric Grosse, vice president of security engineering at Google, said in a blog post that for three weeks Google has been spotting and disrupting the phishing emails, which contain a link to a Web page that spoofs a Google account maintenance option. "If the user clicks the link, they see a fake Google sign-in page that will steal their username and password," Grosse said in the post.

Google says the attackers behind the campaign appear to be the same group behind the compromise of digital certificates of former Dutch certificate authority DigiNotar in 2011.

"Our Chrome browser previously helped detect what appears to be the same group using SSL certificates to conduct attacks that targeted users within Iran. In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance," Grosse wrote.

"The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday," he said.

In the wake of the DigiNotar breach in 2011, more than 500 rogue DigiNotar digital certificates were created for such high-profile domains as cia.gov, microsoft.com, Microsoft's windowsupdate.com, and mozilla.org, as well as one posing as VeriSign Root CA. In addition, more than 300,000 IP addresses, mostly in Iran, were compromised, and the hacker who breached a Comodo reseller earlier this year claimed responsibility for the DigiNotar hack.

Grosse recommends that Iranian users run Chrome and two-step authentication, and verify the URL in the address bar before typing their Google passwords: https://accounts.google.com/. "If the website's address does not match this text, please don’t enter your Google password," he said.

"Protecting our users' accounts is one of our top priorities, so we notify targets of state-sponsored attacks and other suspicious activity, and we take other appropriate actions to limit the impact of these attacks on our users," Grosse wrote.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.