Iranian spies bait U.S. officials in years-long social engineering scheme

Share this article:
Iranian cyber spies bait U.S. officials in social media ruse
Dubbed “Newscaster,” the operation entailed a years-long social engineering ruse leveraging popular networking sites.

Researchers have uncovered a three-year espionage campaign primarily targeting U.S. military officials, diplomatic and congressional staff, and defense contractors in the country and abroad.

On Wednesday, threat intelligence firm iSight Partners detailed the operation, dubbed “Newscaster" for the intricate social engineering scheme used in attacks. Attackers took on fake, social media personas, and even erected a phony news site, NewsOnAir.org, to gain the trust of their targets.

According to a 19-page report by iSight, hackers, believed to be based in Iran, used numerous networking sites, including Facebook, LinkedIn, Twitter and Google+, to connect with victims.

Once a connection was established with targets, attackers often went after victims' login details by sending them links to “credential collection sites,” which were designed to look like login pages for Yahoo, Google, our Outlook Web Access, the report said.

Researchers believe the network's primary goal was to collect insight on military or diplomatic affairs, as well as intel about defense organizations, for their sponsors' interests and advantage. In addition to collecting credentials, attackers also used the campaign, which dates back to 2011, to distribute malware capable of data exfiltration.

A number of factors led researchers to believe the attacks originated in Iran, including the fact that social networking posts were made during Tehran working hours. Furthermore, NewsOnAir.org was registered in Tehran, and IP addresses used in the attackers' infrastructure mainly hosted Iranian content, the report revealed.

John Hultquist, manager of cyber espionage and threat intelligence at iSight, told SCMagazine.com in a Thursday interview that the Newscaster campaign was the “most extensive social engineering scheme” the firm had seen to date.

Fake social media personas included “reporters,” who shared articles via the fictitious news site, NewsOnAir.org.

“For the most part, the news site was set up just to legitimize the [fake] accounts,” Hultquist said.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.