Iranian Attackers Cheat Security Site for Phishing

July 7, 2018

 

An Iranian APT group has been noticed creating a phishing site, utilizing a cybersecurity company which outed it as a lure.

Charming Kitten has been in action since 2014 and its actions were laid bare in a December report by an Israeli safety vendor Clearsky Security.

The company declared to have found more than 85 IP addresses, 240 malevolent domains, hundreds of hosts, a number of bogus units as well as possibly thousands of sufferers connected to the group.

In a series of tweets this week, the company said that it had found out that the same group is building a phishing site intended to capitalize on interest in the vendor’s findings.

“The bogus website is clearskysecurity\.net (the actual website is http://clearskysec.com ). They made copies of pages from our public website and made changes to one of them in order to include a ‘sign in’ option with a lot of facilities,” it said.

“These symbols in choices are all phishing pages that would transmit the sufferer’s identifications to the attackers. Our actual website does not have any symbol for selection. It appears that the copying website is still being constructed since some of the pages have error messages in them.”

One of the bogus pages even showed the content of an earlier outed Charming Kitten campaign, as per the company.

The group is only one of an increasing list of Iranian APT groups most likely supported by the government. These contain APT34, detected most recently by FireEye back in December aiming governments in the Middle East.

Also noteworthy is the CopyKittens group detected by Clearsky and Trend Micro. Dating back to 2013 it’s concentrated on thieving data from Western as well as Middle Eastern government, the defense as well as academic groups through custom and commercial tools.