Iranian Hackers Recently Switched to WhatsApp and LinkedIn to Conduct Phishing Attacks


Recently, the Iran-linked hacking group known as Charming Kitten turned to WhatsApp and LinkedIn to carry out phishing attacks, security researchers Clearsky reveal.

The opponent has also been identified as Ajax Security Team, APT35, ITG18, NewsBeef, Newscaster, and Phosphorus since at least 2011, and has previously been seen targeting a U.S. presidential candidate, media organizations, government officials, and influential Iranian expatriates using a modified spear phishing technique.

In July, just a few months after Google disclosed that the Iranian hackers were targeting the WHO, the threat actor accidentally leaked 40Gb of data. The hackers were discovered in early 2020 posing as journalists in a phishing campaign that targeted at least five individuals worldwide.

Security firm Clearsky now reports that the opponent continues phishing attacks in which journalists are impersonated, this time from ‘DeutscheWelle’ and the ‘Jewish Journal,’ using both email and WhatsApp to approach the target and trick them into clicking on a malicious link. Fake LinkedIn profiles have been used to win the trust of victims.

The most recent campaign targeted Israeli scholars (through their institutional email account), and employees of the US government. The hackers used a custom URL, customized to the victim’s email address, fooled them into accessing the malicious link, and also attempted to give the victim a malicious ZIP file.

“Clearsky warned ‘Deutsche Welle’ on their website about the impersonation and the watering hole. A representative from ‘Deutsche Welle’ has confirmed that the reporter Charming Kitten has impersonated in the past few weeks has not sent emails to the victim or any other academic researcher in Israel, “says the security firm.

The attackers used a well-developed LinkedIn account as part of the campaign to support their email spear-phishing attacks, and showed willingness to speak to the victim over WhatsApp over the phone using a legitimate German phone number.

The hackers approached Israeli researchers from the Universities of Haifa and Tel Aviv, asking them to participate in a webinar on Iran and other issues, naming the victim as the webinar ‘s main speaker. The attackers sent repeated, multiple messages, until the victim replied.

The Cute Kitten attackers have repeatedly messaged the victim for ten days, saying they were interested in making a direct phone call, and tried to lure the victim into “activating their account” on the “Akademie DW” site (their phishing page).

“If the victim is not willing to share his personal phone number, he will be sent a message from the fake LinkedIn account by the attacker. This message will contain a guarantee Google will protect the webinar as they sent it to the victim on the tenth day, “says Clearsky.

In another attack, the hackers built a fake LinkedIn account for ‘Helen Cooper,’ a senior Hudson Institute researcher, and sent emails containing either a malicious connection or a malicious attachment. For this threat actor the sending of malicious files via email is uncommon.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.