Iranian expatriates and activists are being targeted by an “elaborate phishing campaign” that enables hackers to take control of their Google account, research from Citizen Lab says.
Iranian government-backed hackers are believed to be responsible, with researchers connecting this attack campaign with a similar one that coincided with Iran's 2013 presidential election
A report released August 27 by the University of Toronto research group describes how the hackers used text message and phone-based phishing to try to get around the security of Google's Gmail and access the accounts of their targets.
Omid Memarian, an exiled Iranian journalist living in New York, says the hackers contacted him in June through Google Chat messages, phone calls and emails, telling him he needed to change his Gmail password. He realized it was a phishing attempt and didn't hand over his information, but the hackers' repeated attempts made him fear that his account had been compromised.
Memarian, who speaks out frequently through mainstream and social media about jailed reporters in Iran and other human-rights issues, says that while he's received generic phishing emails before, it was "terrifying" to know that he had been personally targeted by the hackers.
"There's no doubt that this comes from Iran's Revolutionary Guard, which has been very vicious against the free press and free speech," Memarian says.
Jillian York, director of international freedom of expression at the Electronic Frontier Foundation, was the only non-Iranian noted in the report to be caught up in the scheme. York, who is based in Germany, has written on the danger of blogging in Iran and on a range of related issues.
For her, the phishing attempt started with an early morning phone call earlier this month from a man who identified himself as a journalist wanting to interview her.
The man, who York says sounded German, sent her an email that included an attachment. After she declined to open it, he sent it again from a different address, so she knew something was up. When she still wouldn't open it, he started calling her again, ultimately a total of 34 times.
York contacted Citizen Lab, which was already working on its report. It tied the attack on York to the Iranian phishing scam.
The hack is a rare example of intruders taking control of accounts that rely on two-factor authentication, which has been one of the most reliable ways for Internet users to protect their accounts online. It’s not clear how many hacks were successful; the report is based on failed attempts.
The attack uses some of the same hallmarks employed by Iranian hackers in 2013. Google’s Security blog reported June 12, 2013 -- just days before the election of Iran's President Hassan Rohani -- that security software suddenly detected tens of thousands of attacks on Iranian users.