Elaborate spear-phishing attempt against global Iranian and free speech activists, including an EFF staffer


Citizenlab details an "elaborate phishing campaign" against Iranian expats and activists, combining phone-calls from fake Reuters reporters, mostly convincing Google Docs login-screens, and a sophisticated attempt to do a "real-time man-in-the-middle attack" against Google's two-factor authentication.

The attacks that Citizenlab discovered failed (there may have been others that succeeded). The failures are mostly down to tiny errors — for example, misspelling "Reuters" or referring to "Iran" as "the Iran." The attackers also incorrectly believed that their targets would be put at their ease and lower their guards if a stranger called them and started talking in detail about the targets' lives and activities.

If you are worried about phishing, be vigilant for this sort of behavior. But even more: turn on two-factor authentication in your accounts (here's a list of services that use two-factor-authentication — sadly, almost no US banks use it). All the elaborate stuff that the attackers went through was only necessary because their targets used two-factor authentication. The harder it is for bad guys to attack you, the more mistakes they're likely to make — and the more likely it is that they'll go after someone else.

Jillian York of the Electronic Frontier Foundation was woken early in the morning by a phone call from a number in the UK.1 A male voice identified himself as a journalist with Reuters and began with small talk that indicated some knowledge of her activities. The connection was not good and the caller immediately rang back. He said there was something he wished to discuss and verified that he had the correct e-mail address for York.

Step 2: Send the bait

Immediately after the phone calls, York received an e-mail masquerading as sent from the Reuters news agency’s “Tech Dep” and promising an interview. The spoofed e-mail contains some errors, including the misspelling of “Reutures.” The e-mail is slightly more sophisticated than those seen in earlier Google Docs style phishing from the same group


London Calling: Two-Factor Authentication Phishing From Iran [John Scott-Railton & Katie Kleemola/Citizen Lab]


(Thanks, Jillian!)