Charming Kitten Hackers Impersonate Journalist in Phishing Attacks


Charming Kitten Hackers Impersonate Journalist in Phishing Attacks (Feb 5, 2020)

Researchers at the London-based cybersecurity company Certfa have detected a new attack being orchestrated by the Iranian cyberespionage group Charming Kitten. The campaign used fake interview requests as a lure, spoofing prominent journalist Farnaz Fassihi who works for the New York Times. Farnaz Fassihi also worked for the Wall Street Journal and has over 17 years experience in covering the Middle East. The email interview request contained a flaw however, as the interview purported to be from the Wall Street Journal while Farnaz Fassihi no longer works there. The email asks the victim to download questions, redirecting to a site hosting a phishing kit designed to steal login credentials and two-factor-authentication (2FA) data. Researchers also detected new malware from Charming Kitten using filename “pdfreader.exe” that serves as a backdoor. This campaign has been targeting journalists, academia, activists and Iranian citizens living outside of Iran.

Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.