Attacks/Breaches
6/13/2013
01:41 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Iranians Targeted In Massive Phishing Campaign

Google spotted targeted attacks out of Iran against tens of thousands of Iranians in the run-up to the country's presidential election on Friday

Google says it has detected and derailed several email-based phishing attacks targeting tens of thousands of Iranian users during the past few weeks in what appears to be a politically motivated campaign.

Eric Grosse, vice president of security engineering at Google, said in a blog post that for three weeks Google has been spotting and disrupting the phishing emails, which contain a link to a Web page that spoofs a Google account maintenance option. "If the user clicks the link, they see a fake Google sign-in page that will steal their username and password," Grosse said in the post.

Google says the attackers behind the campaign appear to be the same group behind the compromise of digital certificates of former Dutch certificate authority DigiNotar in 2011.

"Our Chrome browser previously helped detect what appears to be the same group using SSL certificates to conduct attacks that targeted users within Iran. In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance," Grosse wrote.

"The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday," he said.

In the wake of the DigiNotar breach in 2011, more than 500 rogue DigiNotar digital certificates were created for such high-profile domains as cia.gov, microsoft.com, Microsoft's windowsupdate.com, and mozilla.org, as well as one posing as VeriSign Root CA. In addition, more than 300,000 IP addresses, mostly in Iran, were compromised, and the hacker who breached a Comodo reseller earlier this year claimed responsibility for the DigiNotar hack.

Grosse recommends that Iranian users run Chrome and two-step authentication, and verify the URL in the address bar before typing their Google passwords: https://accounts.google.com/. "If the website's address does not match this text, please don’t enter your Google password," he said.

"Protecting our users' accounts is one of our top priorities, so we notify targets of state-sponsored attacks and other suspicious activity, and we take other appropriate actions to limit the impact of these attacks on our users," Grosse wrote.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web