Attacks/Breaches
6/13/2013
01:41 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Iranians Targeted In Massive Phishing Campaign

Google spotted targeted attacks out of Iran against tens of thousands of Iranians in the run-up to the country's presidential election on Friday

Google says it has detected and derailed several email-based phishing attacks targeting tens of thousands of Iranian users during the past few weeks in what appears to be a politically motivated campaign.

Eric Grosse, vice president of security engineering at Google, said in a blog post that for three weeks Google has been spotting and disrupting the phishing emails, which contain a link to a Web page that spoofs a Google account maintenance option. "If the user clicks the link, they see a fake Google sign-in page that will steal their username and password," Grosse said in the post.

Google says the attackers behind the campaign appear to be the same group behind the compromise of digital certificates of former Dutch certificate authority DigiNotar in 2011.

"Our Chrome browser previously helped detect what appears to be the same group using SSL certificates to conduct attacks that targeted users within Iran. In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance," Grosse wrote.

"The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday," he said.

In the wake of the DigiNotar breach in 2011, more than 500 rogue DigiNotar digital certificates were created for such high-profile domains as cia.gov, microsoft.com, Microsoft's windowsupdate.com, and mozilla.org, as well as one posing as VeriSign Root CA. In addition, more than 300,000 IP addresses, mostly in Iran, were compromised, and the hacker who breached a Comodo reseller earlier this year claimed responsibility for the DigiNotar hack.

Grosse recommends that Iranian users run Chrome and two-step authentication, and verify the URL in the address bar before typing their Google passwords: https://accounts.google.com/. "If the website's address does not match this text, please don’t enter your Google password," he said.

"Protecting our users' accounts is one of our top priorities, so we notify targets of state-sponsored attacks and other suspicious activity, and we take other appropriate actions to limit the impact of these attacks on our users," Grosse wrote.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.