Morioh
Login
Kara Morissette

Kara Morissette

3 years ago

The Iran-linked APT is targeting Israeli scholars and U.S. government employees in a credential-stealing effort.

The Iran-affiliated APT known as Charming Kitten is back with a new approach, impersonating Persian-speaking journalists via WhatsApp and LinkedIn, in order to con victims into opening malicious links. The targets are Israeli scholars from Haifa and Tel Aviv universities, and U.S. government employees, researchers said.

According to an analysis from Clearsky, the latest gambit was first spotted in July. The attackers have been pretending to be known writers for the Deutsche Welle and/or Jewish Journal outlets, and approach targets via email, and WhatsApp messages and calls. To lend verisimilitude to their impersonations, the cybercriminals also set up fake LinkedIn profiles corresponding to the journalists’ names, and have been sending out LinkedIn messages to corner victims as well. The end game is to convince a target to click on a malicious link, which takes users to a phishing page to steal credentials.

“The malicious link is embedded in a legitimate, compromised Deutsche Welle domain, with waterhole methods,” according to a writeup from Clearsky, issued last week. “Each victim receives a personalized link, tailored to their specific email account. We identified an attempt to send a malicious ZIP file to the victim as well, additional to a message that was sent to the victim via a fake LinkedIn profile.”

This approach is a marked departure from Charming Kitten’s usual M.O., which tends to rely on emails and SMS.

“These two platforms enable the attacker to reach the victim easily, spending minimum time in creating the fictitious social-media profile,” according to Clearsky. “However, in this campaign Charming Kitten has used a reliable, well-developed LinkedIn account to support their email spear-phishing attacks…[we also] observed a willingness of the attackers to speak on the phone directly with the victim, using WhatsApp calls, and a legitimate German phone number. This [tactic, technique and procedure] (TTP) is uncommon and jeopardizes the fake identity of the attackers.”

#government #web security #credential stealing #linkedin #whatsapp #security

Charming Kitten Returns with WhatsApp, LinkedIn Effort

threatpost.com

Charming Kitten Returns with WhatsApp, LinkedIn Effort

The Iran-linked APT is targeting Israeli scholars and U.S. government employees in a credential-stealing effort. The Iran-affiliated APT known as Charming Kitten is back with a new approach, impersonating Persian-speaking journalists via WhatsApp and LinkedIn.

1.25 GEEK