It is early in the morning, too early to get out of bed. She has a fever and has been shivering all night. The phone rings; she drags herself out of bed to answer it.
The caller speaks Persian. He mentions two of her friends, also journalists. He does not introduce himself, but says, “We are talking to them now and we’d like you to join our conversation on Google Talk. We sent a code to your phone. Please read it out so I can connect with you.”
This is how the accounts of journalist Fereshteh Ghazi were hacked. Her Gmail, Facebook and Skype accounts were all compromised.
Ghazi was so ill and tired that she could not think straight. She did what she was told to do: looked at her mobile phone and read out a series of numbers to the man on the other end of the line — the numbers were her secondary security passwords for her Gmail account.
It took her a few seconds to forget about sleep and fever and focus. She suddenly realized that the two journalist friends were not connected to each another; she knew them separately. There was no logical reason why the pair of them would ask her to join them in a chat online.
Ghazi is not the first to be targeted in this way. Days after Ghazi’s accounts were hacked, well-known journalist and policy expert Karim Sadjadpour was also targeted. He received a phone call from someone in the United Kingdom pretending to be a London-based journalist he knew. The caller asked him to chat with him on Skype and shortly thereafter he received a series of messages saying he needed to reset his Gmail and Facebook accounts. The messages also provided fake links for resetting the passwords.
In November, a number of other Iranian journalists were tricked in the same way that Ghazi was. In some cases, the targeted journalists received a phone call and tried to call back, only to discover the phone number was fake.
In Ghazi’s case, the person who called was using a phone number registered in the UK. She dialed the number and was able to speak to the man who called her and told her to read out her verification code. “I kept telling him that he had contacted me and he kept denying it,” she told IranWire. “Now that my Gmail and Facebook accounts are blocked, he calls me repeatedly using the same number and bothers me. Of course, I am trying to track down who he is.”
“This technique is called ‘social engineering’,” digital security analyst Amin Sabeti told IranWire. “By concentrating on the online behavior of the target or tricking him the hackers obtain the necessary information. In recent months hackers have used this method to hack the accounts of at least three Iranian journalists living abroad.” Sabeti says that the hackers were most likely connected to the Iranian authorities — probably the Revolutionary Guards. In all of the cases, the hackers were unable to bypass the two-step verification process so they tried to get more information by telephoning, pretending to invite the journalist to a group chat with colleagues.
According to Sabeti, the Iranian authorities have stepped up cyber attacks in the last couple of years. “It really got bad in 2009,” he says, referring to the protests that followed the disputed presidential election. Authorities have become adept at “phishing” — collecting personal information by setting up websites that look like the home or login page of a trusted company or organization, such as a Google forum, a Facebook group. Unsuspecting web users link to these sites and attempt to login to them, thereby compromising their personal data. Authorities create fake sites pretending to host material that might be of interest to their targets, such as human rights reports or forums on current affairs topics.
“These recent attacks are the work of a professional team,” Sabeti says. “A lot of time and money have been invested in this. It’s not just a random hacker; we’ve seen these kinds of sophisticated attacks many times so we know it’s very organized.”
“Under no circumstances should you give any of your codes to anyone on the phone,” Sabeti says. “This information must remain strictly confidential.”
Ghazi has spoken publicly about her time in prison, and specifically about how her interrogator threatened her with rape. Sadjadpour is a prominent Iran expert who has conducted interviews with a range of dissidents and activists, as well as paramilitaries, businessmen and clerics. He also spoke to the US government’s Foreign Affairs Committee about sanctions against Iran.
“Had they not contacted me early in the morning before I woke up, and had I not been sick, I would not have given them the code, unless I could have been absolutely sure about who they were,” Ghazi said regarding the attack against her. “It seems that they intentionally chose the time so that they would have a better chance of deceiving me. Add to that the fact that Iranians are so used to hearing about colleagues being arrested or intimidated. So we don’t necessarily question an unexpected request to chat. They took advantage of this.”
“Unfortunately, none of my friends who have had their accounts hacked in the same way told others about what had happened,” Ghazi said. “If we talk about it and everybody knows, maybe it will save others being tricked.”
Staying Safe Online
Sabeti says it is vital for everyone, and particularly journalists and those working with them, to pay attention to security issues. He recommends two important ways to increase online security. “First of all, it is essential to have a different, distinct password for each account. If you can’t do this for some reason, at least do not use the passwords for your email and Facebook for other accounts. Also, your password should not be personal information such as your mobile number or something that can be easily determined, such as your place of birth.”
“Secondly, activate the two-stage login,” Sabeti says. “This means that, once activated, you are required to enter a code after entering the password. The code is sent to your mobile. Many well-known and popular services including Google, Facebook, Dropbox and Yahoo Mail allow you to choose a two-stage login.”
Fereshteh Ghazi had activated the recommended two-stage login. Since the hackers did not have access to her second passcode, they had resorted to calling her and trying to trick her that way.
Amin Sabeti also suggests downloading an app to receive the second passcode for the two-stage login process. “Since SMS can be monitored or hacked, it is better to use the Google Authenticator app,” he told IranWire. “If you are using a smartphone based on iOS, Android or BlackBerry, you can easily download and install this app. The advantage is that it removes the danger of someone accessing SMS messages containing two-stage login codes. Also, you don’t have to use the communication network since the code is executed offline. Anybody with a smartphone should install and use this app and avoid receiving the code via SMS.”
Immediately after her phone call ended, Fereshteh Ghazi tried to login to her email but it had been taken over by the hackers. They had changed the password. She tried to login to Facebook, which was linked to her Gmail address, to change her password and to link her account to another email address. She was able to login to Facebook, but it had also been hacked before she was able to change the password. Her Skype account was hacked in the same way. She contacted Gmail and Facebook. They closed the accounts. As a result, these accounts were only under the control of the hackers for a few minutes.
Skype is different. In addition to contacting Skype, Ghazi had to make sure any credit or debit card she used in connection with the service was canceled. “Since I used my credit cards to purchase services from Skype, I had to cancel them all,” she said.
It will take a few days for Fereshteh Ghazi’s Gmail and Facebook accounts to be reinstated. When they are, she will post the details of what happened to her on Facebook. “If others had told me about their experience I would have not been deceived,” she said. “I will be public about what happened so that others won’t fall into the same trap.”