Fake news on behalf of the Iranian government
Check Point Research uncovered a major social engineering campaign in Iran. Internet criminals are sending text messages on behalf of the Iranian government to trick citizens into downloading contaminated Android applications. These, in turn, disguise themselves as official apps of the authorities, such as the Electronic Iranian Legal Service, and ask users for personal information, such as credit cards and the identifier sent via SMS for multi-factor authentication.
In addition, the applications crack the smartphone – conducted by a command-and-control server – and steal SMS messages. In addition, the hackers are going to make money transfers to themselves and, in addition, turn the mobile phone into a bot. This now acts like a classic worm and sends SMS to other mobile phones. Thus, the malware spreads quickly. The security researchers at Check Point assume thousands of infected devices and a stolen sum of 1000 US dollars to 2000 US dollars (882 euros to 1764 euros) per device. This adds up to several billion Iranian riyals (1 euro is 1.13 riyals). The stolen data of the users are also, according to the researchers, freely available on the Internet.
Figure: Attack path of the social engineering attacks in Iran.
Worryingly, the hackers are selling their software via Telegram channels for at least $50 ($44) to $150 ($132) as an Android campaign Kit. It includes the infected applications, the infrastructure behind them and a console for controlling the process via Telegram bots, which is simple enough to use that even inexperienced attackers can use it.
Alexandra Gofman, Threat Intelligence Team Leader at Check Point
This discovery comes in the midst of a series of major virtual attacks against Iran, including attacks on train services and gas stations. Alexandra Gofman, Threat Intelligence Team Leader at Check Point Software Technologies, explains: “For the population of Iran, cyber attacks are increasingly becoming an impairment of their everyday lives. It began with the attack on the railway, which we were able to attribute to a group called Indra. They continued at gas stations and at the national aviation company. Now we are witnessing another attack that is causing headlines and chaos and can harm many people in Iran. We see no direct connection between this attack and the big ones before. We also assume that this latest attack is only financially motivated. The criminals are probably from Iran.
The speed and spread of this campaign, which is aimed at the general public, is unprecedented. The campaign uses social engineering and, despite the low quality of the attack and the technical simplicity of the software, inflicts great financial damage on its victims. There are quite a few reasons for this success: firstly, when it comes to official-looking government news, many citizens are inclined to click on the specified link. Secondly, these campaigns spread rapidly to a large number of other devices due to the botnet nature of these attacks, in which each infected device receives the command to send more phishing SMS. It should be borne in mind: although these special campaigns are currently widespread in Iran, they can suddenly take place in any other part of the world. I think it is therefore important to raise awareness of social engineering methods.“