Check Point Research recently uncovered an Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks & Israeli citizens. They used attacks with a custom phishing infrastructure, as well as a wide array of fake email accounts to impersonate trusted parties. The threat actors even performed an account takeover of some victims' inboxes, in order to establish deeper trust with new targets. They then hijacked existing email conversations to start attacks from an already existing email conversation between a target & a trusted party and continue that conversation.
To disguise their phishing links, the threat actors used a fake URL shortener called Litby[.]us. The group was also seen using a legitimate identity verification service called validation[.]com to steal identity documents.
High profile targets of this operation include:
- Tzipi Livni – former Foreign Minister and Deputy Prime Minister of Israel
- Former Major General who served in a highly sensitive position in the Israeli Defense Forces (IDF)
- Chair of one of Israel’s leading security think tanks
- Former US Ambassador to Israel
- Former Chair of a well known Middle East research centre
- Senior executive in the Israeli defense industry
The threat actors showed some level of sophistication by creating their own URL shortener service called Litby[.]us, which is likely masquerading as the popular Bitly[.]com URL shortener. Litby appears to look like a generic URL shortening service, though the website doesn’t have any real functionality. While not confirmed, it is believed Litby was created by the threat actors as part of their infrastructure & was not obtained through compromise.
Check Point researchers noticed that each URL path used in the campaign contained indicators customized for each target. The URL redirections typically involve a malicious login service or some kind of document on OneDrive or Google Drive. The goal of this campaign was to obtain access to the inboxes of victims.
”The phishing pages include several stages- asking the user for their account ID followed by an SMS code verification page. It is interesting to note that the truncated phone number within the phishing page was customized specifically for the target, and it corresponds to the public records. Check Point suspects that once the victim enters his account ID, the phishing backend server would send a password recovery request to Yahoo, and the 2FA code would allow the attackers to gain access to the victim’s inbox."
Check Point believes the activity in this campaign aligns with a Iranian entity, possibly even the Phosphorus APT group. A commented-out section of the source code in one of the phishing pages mentioned above (litby[.]us/Shagrir/verification.html), points to the possibility that the same HTML page was previously used by actors in a different attack.
“The highlighted domain de-ma[.]online, was used by an Iranian APT group named Phosphorus for credential harvesting purposes, according to a Microsoft report from 2020. The group has a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials” (Check Point, 2022).
Phosphorus has used spear-phishing techniques against Israel in the past, Check Point expects Phosphorus to continue these efforts.
Read on for tips to mitigate your risks associated with this type of attack:
- Do not open emails or download software from untrusted sources
- Do not click on links or attachments in emails that come from unknown senders
- Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
- Always verify the email sender's email address, name, and domain
- Backup important files frequently and store them separately from the main system
- Protect devices using antivirus, anti-spam and anti-spyware software
- Report phishing emails to the appropriate security or I.T. staff immediately
