The Israeli cybersecurity firm ClearSky has exposed several cases in which Iranian hackers impersonated legitimate websites. In February, for instance, it revealed an operation it called Ayatollah BBC – a series of Iranian-run websites impersonating foreign or even Iranian media outlets.

But earlier this month, it reported that it, too, has joined the list of victims of these Iranian “copy and paste” operations.

Last month, the company discovered that a hacker group called Charming Kitten, which had perpetrated previous attacks, was still operating. The group is connected to the Iranian government and is deemed an “advanced persistent threat,” meaning it comprises sophisticated hackers.

It has occasionally hit the headlines, once when one of its members was involved in breaking into the HBO television network and stealing videos and other files, including scripts for the hit series “Game of Thrones.”

The group often uses “watering hole” attacks, which utilize either legitimate sites or seemingly innocent but malicious sites to infect users with malware that the hackers can then use to spy on them. For instance, ClearSky researchers discovered the group had created a website which impersonated the German paper Deutsche Welle’s site.

The hackers also managed to insert a malicious page into the website of a Los Angeles Jewish community paper, the Jewish Journal. The page invited users to a webinar and included a link that activated a program called BeEF, which stands for Browser Exploitation Framework. BeEF was originally created for security researchers who look for security breaches, particularly in browsers, in order to improve their defenses. But it has proven a double-edged sword that attackers can use for less benign ends.

ClearSky’s most entertaining discovery so far, however, relates directly to the company. As the website Bleeping Computer reported last week, the Charming Kitten group impersonated ClearSky itself by creating a website almost identical to that of the Israeli firm, with a slightly different address; the imposter site ended in “.net” rather than “.com.”

ClearSky researchers found some broken links in the fake site, leading them to think it is still under development.

The obvious question is what the Iranian hackers hoped to achieve with this impersonation. The answer lies in one very significant difference between the two sites: Unlike the original site, the Iranian version allows users to register. This would enable the hackers to steal information from ClearSky’s customers, who would think they were merely registering to receive site updates. The moment a user clicked on the registration link, the hackers would be able to steal his or her personal information, including passwords for service providers.

Source » haaretz