Citizen Lab: elaborate phishing attack targets Iranian diaspora, dissidents

It begins with a phone call from a UK phone number, with callers speaking in either English or Farsi.

But a new report from researchers at the University of Toronto's Citizen Lab says these calls are part of ongoing attacks against targets in Iran’s diaspora - and at least one Western activist. They're part of an attempt to bypass protections provided by what is known as “two-factor authentication” in Gmail.

Two-factor authentication is used by services such as Gmail and Dropbox to increase account security against password theft and “phishing,” a general term for what the RCMP describes as e-mails, text messages, and websites fabricated by malicious actors, and designed to look like they come from reputable businesses and government agencies. It's an attempt to collect personal, financial, and sensitive information.

Until now, this kind of attack was associated with financial fraudsters – not seen as politically motivated – and the report is making headlines around the world. (Read the Los Angeles Daily News article. Read The Daily Beast article. Read the Saudi Gazette article.)

The most common form of two-factor authentication requires users to enter their regular password followed by a single-use code which is sent by text message to their previously registered phone. Two-factor authentication requires that both the password and code be entered in order to login, rendering stolen passwords useless.

“While attacks against two-factor authentication are widely documented in the context of online fraud, the rise in use of two-factor authentication by users of free online services may be leading other categories of attackers, such as political attackers, to begin developing their own versions of these attacks,” said Citizen Lab Research Fellow John Scott-Railton, one of the report’s authors.

“Although “real time” attacks against two-factor authentication have existed for at least a decade, there are few public reports of such attacks against political targets,” Scott-Railton said. “It may be that, as more people start using two-factor authentication, politically-motivated actors have had to resort to the playbook that financial criminals have written.”

In the report, entitled “London Calling: Two-Factor Authentication Phishing From Iran,” Citizen Lab researchers identified three types of “real time” attack, with the assistance of the Iranian targets and other security researchers. The first attack attempts to phish both the user’s password and the two-factor authentication code by tricking victims into thinking that someone is trying to access their account. The attacker does this by showing fraudulent pages that simulate Gmail’s two-step login process to the victim, which allows the attacker to collect the victim’s input, while simultaneously logging in to the real Gmail page. 

The second attack, which the researchers tie to the same actors, begins with a call from a number in the UK, promising to send the target a proposal. The target would receive an email after the phone call that looks similar to a Google Drive shared file notification. 

“Clicking on the link contained in the email leads to a fake login page for Google Drive and a fake two-factor authentication page, thereby allowing the attacker to harvest both the password and the two-factor authentication code at the same time,” said Katie Kleemola, senior security researcher at the Citizen Lab in U of T’s Munk School of Global Affairs.

The third type of attack poses as a request from a member of the media. One such attack targeted Jillian York, director for international freedom of expression at the Electronic Frontier Foundation. York's work includes extensive professional contact with Iranian advocacy groups.

As with the other attacks, she received an e-mail masquerading as a Google Drive e-mail share but which was, in fact, a link to a phishing site. She is the only non-Iranian target that the researchers are aware of.

These findings suggest that by using two-factor authentication and staying vigilant, the targeted users were able to stay safe. 

“Implementing two-factor authentication on all of your accounts is an important security step for everyone,” said Kleemola.