3 min read

Iranian hackers set up fake news website, and posed as journalists on Facebook to spy on United States and others

Graham CLULEY

May 29, 2014

Iranian hackers set up fake news website, and posed as journalists on Facebook to spy on United States and others

Security researchers claim to have uncovered a three-year-old internet espionage campaign, targeting military personnel, diplomats, and defence contractors in the United States and Israel.

The campaign, dubbed “NEWSCASTER” by iSIGHT Partners, saw more than a dozen fake profiles created on social networking sites like Facebook, Twitter and LinkedIn, pretending to be journalists, government or defence workers.

The hackers managed to dupe at least 2000 potential targets to connect with them on social networks, increasing their credibility in the eyes of others by being seen to have existing business and social relationships.

Amongst other tactics, the hackers are said to have created a bogus news website – newsonair.org (not to be confused with newsonair.com, a legitimate Indian news operation) – that plagiarised news content from other sources.

From my exploration the site does indeed scrape content from legitimate news outlets. For instance, here is a story that newsonair.org published in September 2013 about the iPhone 5S fingerprint sensor quoting me:

And here is the original article, published by CNN:

Now, scraping legitimate news websites – although deeply annoying to those who have worked hard and spent money creating that content – isn’t sadly unusual, and definitely isn’t evidence of internet espionage.

But it should make observers question the legitimacy of the site, and the journalistic credentials of anyone who claims to be connected with it.

In its report, iSIGHT Partners says that the motivation behind the cybercriminal campaign was to steal login credentials for victim’s email accounts, by sending them phishing messages that asked them to login to webpages (presumably to view breaking news articles).

In some cases these phishing pages would have probably presented themselves as the login pages for social networks like Facebook.

It’s not a sophisticated method of attack, but with many users lazily choosing to recycle the same passwords on multiple websites it could lead to hackers gaining access to the login credentials for other important sites, from where they could glean information and conduct reconnaissance.

In addition, iSIGHT Partners says that the attackers used “not particularly sophisticated” malware to exfiltrate data from compromised computers.

The investigators strongly suspect that the threat originated in Iran. This is partly based upon the location of the victims targeted (United States, Israel, Iraq, UK, Saudi Arabia), but also – perhaps surprisingly – upon the hours that the hackers kept:

Though the timing of the social network attack may seem irregular at first, over multiple years the schedule behind the activity becomes apparent. They maintained a regular schedule, including what appears to be a lengthy lunch break followed by the remainder of the work day. These hours conform to work hours in Tehran. Furthermore, the operators work half the day on Thursday and rarely work on Friday, the Iranian weekend. Other clues, such as the targets on which the operators have chosen to focus and additional technical indicators, lead us to believe NEWSCASTER originates in Iran.

It is, of course, always hard to be 100% certain when pointing a finger at a particular country regarding an internet attack. It is, after all, very easy to cover your tracks on the net, and disguise an internet attack to give the impression of coming from a different country.

It is even harder still to prove an attack was state-sponsored, and had the backing of a particular government.

At the same time, it would be wise not to be naive. Ultimately, you have to ask yourself who would have the most to gain from spying on particular countries and particular organisations within those states.

This particular attack may have been relatively low-tech, but it does underline that everyone needs to be vigilant about who they trust online – whether it be a news website or a new connection on a social network. Vigilance can help prevent your organisation from being the next one successfully targeted.

In addition, always use strong, hard-to-crack passwords and ensure that you are never re-using the same passwords on multiple sites.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read