Skip to main content

Iranian hackers used fake news site to spy on the US & UK

An Iranian hacker group targeted over 2,000 US military personnel, journalists and lawmakers over the last 3 years with an extremely sophisticated spear phishing campaign. The group operated by creating more than a dozen fake Facebook and LinkedIn profiles, and even created a fake online news organisation to lure its marks.

The impressive social engineering feat was pulled off in order to infect the targets with malware. Once the victims had befriended the fake profiles, the people were emailed malicious links that allowed the hackers to steal account credentials and potentially take control of their computers.

The group is suspected to be operating from Iran due to their working patterns and the location of their command-and-control infrastructure. Many of those targeted were also involved with Israeli defence contractors or lobbyists for Israel.

The hackers, who have been operating the heist since 2011, slowly bolstered fake but credible-looking online personas on social networks, often using images of attractive women. They also created an entire fake news site to build the credibility of the profiles they created.

The news site in question ( is sophisticated. Named News on Air, it copied stories from legitimate news sites such as Reuters, the BBC and the AP in order to give the appearance of a functioning outlet.

ITProPortal advises caution to curious visitors, as the site contains a piece of malware fitting the HTML/Iframe.B.Gen mould, which uses IFRAME tags embedded in HTML pages to redirect the browser to a specific URL location with malicious software.

The fake news site even had its own Facebook, LinkedIn and Twitter accounts.

Although the number of followers leaves something to be desired, it does count among its number one prominent IT security journalist...

Before sending the malicious link to their targets, the hackers made sure to befriend people close to the potential victim, so that when they eventually approached them with a friend request, they appeared to have mutual friends. This was often enough to assuage suspicions and get the target to accept the friend request.

The attackers would eventually approach their target, with a message such as a link to a YouTube video. A victim would first be directed to a fake Google Gmail login page in an attempt to gather the person's credentials before being redirected to the video. In other instances, the attackers spoofed the Web-based login page for corporate email systems.

While it's not clear exactly what intelligence might have been gathered over the course of the three-year mission, and exactly who the targets were, the hack has been described as "certainly successful".

The attacks were uncovered by security consultancy iSight Partners, and are reminiscent of recent similar attacks by Chinese hackers, who used a spearfishing campaign to steal secrets from top American firms.

This incident has underlined just how sophisticated modern social engineering attacks are, and how seriously companies need to take the threat.

Read more: How to protect your business from social engineering attacks