London Calling: Two-Factor Authentication Phishing from Iran

The anonymous targets who have generously shared these materials with us; Jillian York (EFF); Citizen Lab colleagues including Morgan Marquis-Boire, Masashi Crete-Nishihata, Bill Marczak, Ron Deibert, Irene Poetranto, Adam Senft, and Sarah McKune; Gary Belvin (Google) and Justin Kosslyn (Google Ideas); Cyber Arabs; Jordan Berry, Nart Villeneuve; and two anonymous colleagues. Thanks also to Frederic Jacobs who suggested a change to the wording of the HTTPS check text.This report describes an elaborate phishing campaign using two-factor authentication against targets in Iran’s diaspora, and at least one Western activist

Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites

Thanks to John Scott-Railton for comments on the post.This report analyzes a campaign of targeted attacks against an NGO working on environmental issues in Southeast Asia. Our analysis reveals connections between these attacks, recent strategic web compromises against Burmese government websites, and previous campaigns targeting groups in the Tibetan community

Group5: Syria and the Iranian Connection

We thank Noura Al-Ameer for collaborating with this investigation, and for graciously agreeing to be included in this report. The targeted nature of many cases means that, without the help of brave targets and victims, we are often left with a very limited view of what is taking place. We are exceptionally grateful to colleagues at Citizen Lab for comments, critical feedback, and assistance with document preparation including Ron Deibert, Bill Marczak, Morgan Marquis-Boire, Sarah McKune, Masashi Nishihata, Irene Poetranto,Christine Schoellhorn, and Adam Senft. Thanks also to Justin Kosslyn and Brandon Dixon for helpful feedback. We would also like to thank the following teams: Lookout, PassiveTotal and RiskIQ, VirusTotal, and Cisco’s AMP Threat Grid Team for data correlation. Very special thanks to other investigators who wished to remain anonymous but provided exceptionally helpful assistance, especially TNG and Tuka. Note: the night sky image of Syria used as background for several illustrations is from CIMSS at the University of Wisconsin Madison.This report describes a malware operation against the Syrian Opposition. We name the operator Group5, and suspect they have not been previously-reported. Group5 used “just enough” technical sophistication, combined with social engineering, to target computers and mobile phones with malware