The infamous Charming Kitten, an Iran-linked APT, is back with more sophisticated phishing attacks via LinkedIn and WhatsApp. In its new approach, it impersonates Persian-speaking journalists on these social media platforms to trick victims into opening malicious links.

Charming kitten is mainly aiming to launch cyber attacks on Israeli scholars from Haifa and Tel Aviv Universities and U.S. government employees. Security analysts have claimed that the first malicious activity by Charming Kitten was recorded in July.

Hackers have been falsely posing as popular writers for the Deutsche Welle and Jewish Journal outlets. They were perpetrating attacks on potential victims via malicious emails, and WhatsApp messages and calls. Furthermore, these cybercriminals have created fake LinkedIn profiles registered in the names of well-known journalists to deceive their victims.

Their ultimate agenda is to manipulate victims into clicking on malicious links that would redirect them to a spoofed login page wherein they would be requested to submit their credentials. 

How was the Attack Perpetrated?

Pretending to be writers of German and Persian origin, the cybercriminals created fake LinkedIn profiles. They sent out LinkedIn messages to victims on their personal accounts in order to manipulate them.

By taking up the names of popular journalists and writers on their fake social media handles, these hackers made sure that the victims felt that the messages were coming from reliable sources. 

The fraudulent link was enclosed within an authorized Deutsche Welle domain, making it even more difficult to detect the fraud.  Attempts were also made to send a malicious ZIP file along with the message that was sent to the victim via the forged LinkedIn profiles. 

The attack was also perpetrated via WhatsApp, where the cyber attackers talked to the victims personally via WhatsApp calls, manipulating them into clicking on malicious links. Making use of these two social media platforms, it was more convenient for hackers to reach their victims. 

Charming Kitten’s New Attempts to Con Victims

Charming Kitten has been active since 2014 and has always relied on email and messages to carry out its malicious activities. Also known as Ajax or APT35, this gang of Iranian hackers uses spear-phishing as their attack vector in the majority of cases. The group recently tried to hack into the email accounts tied to the 2020 Trump re-election campaign as well.

However, hackers recently changed their course of action by relying on social media platforms such as WhatsApp and LinkedIn. They misused these platforms to support their spear-phishing email campaign to make it all look to have come from legitimate sources.

In the spear phishing emails, hackers of the Charming Kitten group impersonated Deutsche Welle journalists, fluent in Farsi, to deceive targeted receivers. Other victims received spoofed emails that impersonated an Israeli scholar from Tel Aviv University, requesting recipients to join a Zoom meeting in Hebrew.

Hackers also posed as journalists from the Jewish Journal, requesting victims who were all mainly university students, to join a webinar on “citizenship and freedom of girls and women in Iran and its future.” 

The attackers made sure that they gained the trust of the victims by keeping them in a conversational loop in the webinar. They deployed various tactics to increase the interest of the victims by nominating them as the main speaker of the webinar.

After establishing a cordial relationship with them, the cyber attackers invited them to connect over WhatsApp. The conversation was further extended and the victims didn’t suspect any evil intention since the number used by the hackers was a legitimate German number (with the prefix +49). 

After the attackers were sure that they had successfully gained the trust of their victims, the second wave of messages sent by them included emails with malicious links. When targets clicked on the link, they were redirected to Akademie AW’s spoofed landing page.

There they were asked to sign up on the page to activate their accounts. Reportedly, researchers have traced back the malicious links to be linked to an authorized Deutsche Welle domain!

Keep Your Employees’ Email Accounts Secured

Due to the rampant increase in the number of email spoofing activities, it is imperative for CISOs, CIOs, and other security equivalents to implement robust email authentication protocols. Making these protocols a part of the company’s email security help in securing your email domain against email-based attacks such as spoofing and BEC attacks.

DMARC is the best email authentication standard, which in alignment with DKIM and SPF, not only secures the email domain against malicious activities but also enhances the email deliverability rate.  In fact, TDMARC is the most recommended tool to configure DMARC in your organization. 

TDMARC offers the following benefits: 

• Secures email domains from being exploited by threat actors
• Identifies all the top sources abusing your domain
• Protects brand reputation, customer base, and business
• Improves email deliverability and boosts engagement rate
• Gives full insight into email channels including third-party emails and abuse