As he drank coffee in a London restaurant earlier this month, Nariman Gharib received what looked like an innocuous email from what seemed to be a familiar source.
“Hi, I'm going to launch something,” the email, which was written in Farsi, read. “I need your advice on it, do you have a minute to read some pages?”
Given that Gharib is an Iranian activist living in the UK, he is often a target of hacking attempts. But this email didn’t immediately make him suspicious. He replied saying he’d read the proposal tomorrow, but the sender insisted he read it right away, adding it was just a few pages.
“OK, send me,” Gharib replied.
Then, he got another email with what appeared to be a Google Drive link.
Screenshot of the fake Google Drive link sent to Nariman Gharib. Image: Nariman Gharib
That made him suspicious. Gharib told me he got wary because the link didn’t look like a legitimate Google Drive link. As it turned out, Gharib was just another objective of a campaign targeting Iranian activists and journalists in the diaspora that’s been going on for months, perhaps even years.
The campaign uses sophisticated techniques to get around the extra protection provided by Gmail’s two-factor authentication, which requires a password and a token to log in, as detailed in a new report published on Thursday by Citizen Lab, a research group at the University of Toronto's Munk School of Global Affairs. While the report doesn’t conclusively point fingers, victims and experts alike think the campaign was likely led by hackers with direct links to the Iranian government or the Iranian Revolutionary Guard Corps (IRGC).
The report identifies only one target, but Gharib agreed to come forward when I asked him if he had received similar attacks.
“They are trying their best to hack me and my friends.”
“They are trying their best to hack me and my friends,” he said in an online chat, adding that he wasn’t scared because he, as well as his friends, are aware of the hackers' techniques.
Researchers at Citizen Lab and elsewhere, who worked closely with the anonymous Iranian victims, detail three types of attacks aimed at Iranian activists, as well as one against Jillian York, the Director for International Freedom of Expression at the Electronic Frontier Foundation.
All these attacks are devised to try to circumvent Gmail’s two-factor authentication, a security mechanism that requires a password and a security code, normally sent via SMS to the user, to log in. Two-factor, or two-step, makes password theft and simple phishing attempts harder to pull off, since a malicious hacker can’t just use a stolen password to log into a victim’s account.
In York’s case, the hackers called at around 9:30 in the morning on August 21, while she was visiting friends in Sarajevo, she told me. The caller was using a UK number, but had what sounded like a “German accent,” according to York, and said he was a Reuters journalist interested in interviewing her about one of her upcoming talks at a conference in Berlin. This didn’t sound suspicious, since York is based in Berlin and is scheduled to speak at several conferences there.
Since she “was sleepy,” she told him to email the questions. But a few minutes later, he called back, asking if she had checked her email.
“That's when I started to get suspicious—no journalist is THAT demanding,” she said.
York then looked at the email, and saw that it contained what looked like a link to a Google document.
Screenshot of the email sent by the hackers to Jillian York. Image: Citizen Lab
It was not a legitimate Google Drive link. Still, York gave him the benefit of the doubt and when the alleged journalist called back, she asked him to re-send his questions inside the body of the email, since she doesn’t open attachments from strangers.
The “journalist” then sent the same email, but this time using a Gmail account. The first email was made to look like it was from a Reuters account. There were still no questions in the body, and, once again, it included the phishing link.
“And that's when I knew something weird was going on,” York said, adding that she started “trolling him” by saying she wasn’t going to be able to open the attachment because that’s bad security practice.
”That's when I knew something weird was going on.”
At that point, the alleged journalist “got angry” and frustrated, even demanding, “This is from my personal address! Just open it!”
“It was sort of pathetic at that point,” York said, and she stopped answering the phone.
The caller, whoever he was, didn’t give up easily, and called her a total of 35 times that day. In the meantime, York noticed that somebody was trying to reset her password on Facebook too.
Her case is just one of many, according to John Scott-Railton, one of the researchers who worked on the Citizen Lab report, and that’s without considering the countless cases that go unreported or completely unnoticed.
The goal of all these attacks was to get the targets to a phishing page that looks a lot like a Google login page, but is actually under the control of the hackers, who monitor it in real-time. Some of the techniques used, the researcher noted, are borrowed from known attacks used with financial motivations.
A screenshot of a fake Google Drive login page set up by the hackers. (Image: Citizen Lab)
In this scenario, if the target falls for it, he or she would then enter his or her password. Without two-factor security, that’s all the hackers would need. But with two-factor enabled, the hackers would also need the unique code that’s sent to the Gmail user’s cell-phone. The hackers knew this, and created an additional phishing page, which asked the target to enter the code.
At that point, with the password already in their control, the hackers can try to log into the victim’s account, prompting Google to send the target a code. The target would then enter the code in the fake page created by the hackers, giving them all they need to log into the target’s account.
“Two-factor authentication won’t eliminate phishing, but this case shows how it increases the time and effort attackers must spend,” Scott-Railton and fellow researcher Katie Kleemola wrote in the report. “This approach required a more involved deception than a simple one-off phish.”
The goal of all these attacks was to get the targets to a phishing page that looks a lot like a Google login page, but is actually under the control of the hackers.
Some clues revealed in these attacks, such as the infrastructure behind them, link the hackers in this campaign to other previously-reported cyberespionage operations attributed to the Iranian government, according to the report.
Moreover, some of these attacks resemble other attacks that Gharib, as well as other cybersecurity experts and Iranian activists, shared with me last year.
When #Iran's cyber Army is trying to hack my friends Gmail's accounts by sending them #Phishing email. #Security pic.twitter.com/0soRoLmCBc
— Nariman Gharib (@ListenToUs) September 22, 2014
At the time, Amir Rashidi, a researcher on internet freedom in Iran, told me that several journalists and producers at BBC Persian had been targeted by various phishing attacks. (This was also confirmed to me by Nima Akbarpour, a producer and reporter who focuses on technology for BBC Persian.)
Ebrahim Nabavi, a famous Iranian writer, was also targeted, specifically with an email that contained a fake link to a Google document, Rashidi said. Nabavi shared some details of his attack in a post on Facebook.
Adam Meyers, a researcher at Crowdstrike, a security firm that has investigated Iranian hackers in the past, told me last year that all these attacks trace back to the same hackers, who have links to the Iranian government. Given that these attacks don’t involve the use of unknown “zero-day” computer vulnerabilities, nor spyware, they might not be considered technically sophisticated. But, nonetheless, they are “effective,” Meyers said.
"We need to be vigilant."
That’s why Iranian activists, as well as journalists in the diaspora should be careful, according to York.
“This attack wasn't very sophisticated. I don't think any of us fell for it,” York said. “But what makes it interesting to me is how persistent the attackers are, which means they're likely to eventually snare someone, putting our entire networks at risk. We need to be vigilant.”
In the meantime, everyone should turn on two-factor authentication, because “attackers have to spend much more effort to get attacks to work,” Scott-Railton told me. “It makes the deception involved in phishing much harder.”