With a key election in Iran looming on Friday, Google officials say they have seen a major uptick in the volume of phishing attacks against users in Iran, possibly coming from the same group that was using fake Google certificates to attack Iranian targets in 2011 after the compromise of DigiNotar.
Google’s systems look for phishing and other malicious emails that come through the Gmail servers, and the company’s security team says it has identified an increase in the number of such emails going to targets in Iran.
“For almost three weeks, we have detected and disrupted multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users. These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region. The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday,” said Eric Grosse, VP of security engineering at Google.
Unlike the attacks that came after the DigiNotar compromise, the latest round of targeted phishing emails seem much less sophisticated. They are typical phishing emails that are aimed at stealing a user’s Google account username and password. The messages appear to come from Google and ask the user to set up an alternate email address for security purposes. In the wake of the compromise of DigiNotar, a Dutch certificate authority, a group of attackers in Iran was able to forge a certificate for Gmail that allowed them to perform a large-scale man-in-the-middle attack on users in that country.
“Our Chrome browser previously helped detect what appears to be the same group using SSL certificates to conduct attacks that targeted users within Iran. In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance. If the user clicks the link, they see a fake Google sign-in page that will steal their username and password,” Grosse said.
This time around, the attacks appear to be timed to coincide with the upcoming election in Iran, which is scheduled for Friday.