By 
ClearSky’s security researchers have revealed that the Iranian state-sponsored malicious actor called Charming Kitten used new spear-phishing tactics in a drive noticed in August and September.
The attacks are pertinent to a drive Microsoft lately uncovered as aiming a U.S. presidential candidate, government officials, media targets, and leading expat Iranians. The campaign led to four accounts getting affected, out of a total of 241 that were targeted.
“Until these days, Iran was not known as a country who tends to interfere in elections around the world. From a historical perspective, this type of cyber activity had been attributed mainly to the Russian APT groups,” ClearSky notes in their report (PDF).
Notwithstanding this dearth of historical targeting of elections, the security researchers say that the attacks that Microsoft revealed are part of the same drive they noticed over the past several months.
Active since 2011, Charming Kitten has been attacking activists and reporters zeroing in on the Middle East, American organizations, and entities situated in Israel, the United Kingdom, Saudi Arabia and Iraq.
ClearSky reveals that, as part of the newly experimental campaign, it used three different spear-phishing systems, viz. password recovery impersonation, spear-phishing emails, and spear-phishing via SMS messages.
The first impersonation trajectory used was a message with a link playacting to reach from Google Drive or from a colleague’s email address. Social engineering is used in a bid to deceive the victim into revealing their login credentials.
ClearSky explains that another social engineering method is to recognize the Google Site from which the victim was directed and to pair the phishing page with its email.
Another vector used SMS messages comprising a link and claiming to inform the receiver of an effort to compromise their email account. Just as in the prior attack, the link guides to a URL shortening service resulting in a malicious website trying to phish for the victim’s credentials.
A third attack vector used a false unlawful login attempt alert, where the projected victim is informed that a North Korean attacker tried to affect their Yahoo email address and is asked to secure their account.
The fourth attack vector used lately by Charming Kitten was social network impersonation. In a bid to take login credentials, the attackers have formed fake sites for Instagram, Facebook, Twitter, Google, and the National Iranian-American Council.
