"Iran Spear-Phishers Hijack Email Conversations in New Campaign"

Security researchers at Check Point have uncovered a major new state-backed spear-phishing operation targeting multiple high-ranking Israeli and US officials.  The researchers traced the campaign to the Iranian Phosphorus APT group.  Dating back to at least December 2021, it has targeted former Israeli foreign minister and deputy Prime Minister Tzipi Livni, a former major general in the Israeli Defense Forces (IDF), and a former US ambassador to Israel.  The researchers noted that other targets included a senior executive in Israel’s defense industry and the chair of one of the country’s leading security think tanks.  The researchers stated that the methodology is fairly straightforward.  The attacker compromises the inbox of a frequent contact of the target and then hijacks an existing conversation between the two.  They then open a new spoofed email address impersonating the same contact, with a format resembling joe.doe.corp[@]gmail.com.  The attacker then attempts to continue the conversation using this new email address, exchanging multiple messages.  The researchers noted that real documents are sometimes used as part of the exchange to add legitimacy and relevance to the scam.  The researchers stated that the most sophisticated part of the operation is social engineering.  The attackers use real hijacked email chains, impersonations of well-known contacts of the targets, and specific lures for each target.  The operation implements a highly targeted phishing chain that is specifically crafted for each target.
 

Infosecurity reports: "Iran Spear-Phishers Hijack Email Conversations in New Campaign"