Industry News

Iranian hackers set up fake news website, and posed as journalists on Facebook to spy on United States and others

US Banks Including JPMorgan Hit in Wave of Cyber-attacks

Security researchers claim to have uncovered a three-year-old internet espionage campaign, targeting military personnel, diplomats, and defence contractors in the United States and Israel.

The campaign, dubbed “NEWSCASTER” by iSIGHT Partners, saw more than a dozen fake profiles created on social networking sites like Facebook, Twitter and LinkedIn, pretending to be journalists, government or defence workers.

The hackers managed to dupe at least 2000 potential targets to connect with them on social networks, increasing their credibility in the eyes of others by being seen to have existing business and social relationships.

Amongst other tactics, the hackers are said to have created a bogus news website – (not to be confused with, a legitimate Indian news operation) – that plagiarised news content from other sources.

From my exploration the site does indeed scrape content from legitimate news outlets. For instance, here is a story that published in September 2013 about the iPhone 5S fingerprint sensor quoting me:

And here is the original article, published by CNN:

Now, scraping legitimate news websites – although deeply annoying to those who have worked hard and spent money creating that content – isn’t sadly unusual, and definitely isn’t evidence of internet espionage.

But it should make observers question the legitimacy of the site, and the journalistic credentials of anyone who claims to be connected with it.

In its report, iSIGHT Partners says that the motivation behind the cybercriminal campaign was to steal login credentials for victim’s email accounts, by sending them phishing messages that asked them to login to webpages (presumably to view breaking news articles).

In some cases these phishing pages would have probably presented themselves as the login pages for social networks like Facebook.

It’s not a sophisticated method of attack, but with many users lazily choosing to recycle the same passwords on multiple websites it could lead to hackers gaining access to the login credentials for other important sites, from where they could glean information and conduct reconnaissance.

In addition, iSIGHT Partners says that the attackers used “not particularly sophisticated” malware to exfiltrate data from compromised computers.

The investigators strongly suspect that the threat originated in Iran. This is partly based upon the location of the victims targeted (United States, Israel, Iraq, UK, Saudi Arabia), but also – perhaps surprisingly – upon the hours that the hackers kept:

Though the timing of the social network attack may seem irregular at first, over multiple years the schedule behind the activity becomes apparent. They maintained a regular schedule, including what appears to be a lengthy lunch break followed by the remainder of the work day. These hours conform to work hours in Tehran. Furthermore, the operators work half the day on Thursday and rarely work on Friday, the Iranian weekend. Other clues, such as the targets on which the operators have chosen to focus and additional technical indicators, lead us to believe NEWSCASTER originates in Iran.

It is, of course, always hard to be 100% certain when pointing a finger at a particular country regarding an internet attack. It is, after all, very easy to cover your tracks on the net, and disguise an internet attack to give the impression of coming from a different country.

It is even harder still to prove an attack was state-sponsored, and had the backing of a particular government.

At the same time, it would be wise not to be naive. Ultimately, you have to ask yourself who would have the most to gain from spying on particular countries and particular organisations within those states.

This particular attack may have been relatively low-tech, but it does underline that everyone needs to be vigilant about who they trust online – whether it be a news website or a new connection on a social network. Vigilance can help prevent your organisation from being the next one successfully targeted.

In addition, always use strong, hard-to-crack passwords and ensure that you are never re-using the same passwords on multiple sites.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • The world is too crazy and insecure. Hackers can get very personal information that they need by hacking. Sometimes, they can even find out the password using special hack tools. It’s worth mentioning that hack can be very useful in certain condition. A child of my neighborhood behaved erratically some time ago, her parents used Micro keylogger to get her FB password to find that someone was trying to tempting her into taking drugs. That is terrible.