The morning of August 20, 2015 was a particularly busy time for Behrouz, an Iranian human rights activist living in New York City. On the day, Behrouz – a pseudonym for safety reasons - was being pulled in every direction, thereby making him slightly less focused than he would normally be. It was in the midst of this that he received a phone call, a call that seemed far from suspicious at the outset.
As an activist, Behrouz is used to receiving interview requests from the media (as this article would assert). So when he received a call from a person claiming to be a journalist from Manoto [an Iranian entertainment channel] - a broadcaster he has interacted with on social media numerous times in the past - he was in no way surprised.
“I was told you’d be a good person to interview,” a man with a deep voice said in Farsi. “If it’s ok with you, I’ll email through my questions to you.”
And then, before asking for an email address, he hung up and an email immediately landed in Behrouz’s personal Gmail account. The so-called journalist had called from a London-based number [where Manoto is based] and used a Manoto email address giving Behrouz no reason to suspect wrongdoing. However things began to change when he opened up the email.
“It looked like a regular Google Doc at first but when I clicked on it, it took me to a password-protected document. So I rang back the supposed journalist and told him he needed to give me the password,’” Behrouz recalls. “But he just said ‘no, it’s asking for your password. That’s the first thing that struck me as odd.”
Behrouz explains that although the website looked like a normal Google drive page and it had his name and email address on it, he was uncomfortable with the fact that it was asking for his password. And his feelings of discomfort only grew when he was taken to another page that asked for his two-factor authentication code.
Two-factor authentication (2FA) is a tool used by many services, including Gmail, to increase account security against password theft and phishing– an attempt to steal sensitive information, such as usernames, passwords or credit card details. The most commonly used form of 2FA involves sending users a text message with a code once they have entered their password, thus making it more difficult for hackers who have already stolen users’ passwords.
“It was at this point that I contacted colleagues that are specialists on cyber security in Iran and they told me this fitted pattern,” Behrouz says. “According to them, I was one of many Iranian human rights activists to face this kind of intimidation.”
And, indeed, his co-workers were right. Over the last couple of months, numerous activists living outside of Iran, primarily in the United States, have been the victims of phishing. Just last week, Citizen Lab, an interdisciplinary lab that does research on information, human rights and global security, published a report on the phishing campaign against Iranian activists in the diaspora, including one Western activist.
According to the report, the ongoing “real time” attacks attempt to phish both their passwords and the 2FA one-time codes, which is done by showing fraudulent pages that simulate the Gmail 2-step login process to the victim. The attacker then collects the victim’s input, while simultaneously logging in to the real Gmail page. The login attempt then triggers Google to send a genuine 2FA code to the victim, which the attacker steals.
Although the report does not give an exact number of victims, it suggests the quantity of attacks to be quite high. Amir Rashidi, a researcher and activist on Internet censorship and human rights in Iran, said he was personally notified of at least six or seven people that were hacked during the month of August alone, adding that “if you combine that with the report, there at least 12 people in that period.”
“The method was the same every time,” says Amir. “Victims were sent a Google Doc and when people clicked on it, they were faced with a type of phishing attack. This is not your standard, financial hacking. It’s a person specific attack directed at human rights activists.”
Many, although not all of the attacks, spoofed the domains of legitimate sites like Manoto. While in other cases, the attackers used lookalike domains like “qooqle.com” to trick victims. Every attack revealed some detailed research into the target’s activities.
“It’s not a coincidence that they chose Manoto,” says Behrouz. “I frequently tweet Manoto journalists, post Manoto stuff on Facebook and Twitter. They’d clearly done their research.”
Jillian York of the Electronic Frontier Foundation was the only Western activist to be hacked and her case also demonstrated that the attacker had looked into her. She too was called from a UK number in late August from someone masquerading as a journalist, this time from Reuters, who sent her a Google Doc sharing email that was really a link to a phishing site.
However York - like Behrouz - realized that something was not quite right so she refused to open the document. Eventually, the caller became aggressive and frustrated. In an interview with Motherboard, York said, “It was sort of pathetic at this point” so she stopped answering the phone. Altogether he rang her over 30 times that day.
“Although their attempts to hack me were unsuccessful, it did provoke a level of paranoia and discomfort,” Behrouz told me. “Email is deeply personal and if they’d managed, there’s a lot of private stuff in there that I wouldn’t want an Iranian hacker to see. I’m far more guarded and alert now when someone I don’t know contacts me.”
For the time being, it is unclear who exactly the hackers are, except that they are Iranian. Amin Sabeti of Small Media, an organization that encourages freedom of information in Iran through different initiatives, says that Iranian hackers have used a similar phishing method in the past and that this is an ongoing thing.
“In general, Iranian hackers use two methods: phishing & social engineering. In the social engineering phase, they try to gather as much information as they can and then they use this to define the victim’s trap,” Amin explains. “Then when they find what the victim is interested in, they use that to arouse that person’s interest. Then they send a phishing email or an attachment with malware.”
He adds, “Although this is more sophisticated than previous types of attack, there are simple safeguards a person can take to protect themselves.”
Internet censorship researcher Amir is of the same viewpoint. According to him, there are just a few simple precautions a person can take to stop a successful attack. Firstly, he advises people to not open emails or attachments from unknown senders. Secondly, people need to check if the URL and email address are authentic. Thirdly, they must enable 2FA and lastly, they need to install anti-viral software and a firewall.
“If you do these things, you shouldn’t have any problems,” he says. It’s important to remember that this isn’t highly sophisticated. If you take the necessary steps, nothing about this needs to be scary. ”
To read more stories like this, sign up to our weekly email.