Facebook issued a warning and subsequent review about Iranian hackers targeting US military personnel on its platform. It appears the sizable campaign has been underway for the better part of a year.
The large-scale hacking campaign targets US military personnel, and to a lesser degree, individuals in America, the UK, and Europe. The victims work in a number of important industries, such as defense, aerospace, journalism, medicine, and nonprofit.
Facebook pinned the activity on a group known as “Tortoiseshell,” believed to be based in Tehran, Iran. Up until recently, it has mainly conducted cybercampaigns in the Middle East.
This FB attack illustrates an expansion of its activities.
Social Engineering and Spoofing
The hackers spent months setting up and operating a number of fake personas in order to “socially engineer” their targets.
This is a process by which one party attempts to subtly influence the behavior of others to achieve a goal. Phishing, as was used by Tortoiseshell, is a common form of social engineering.
Hackers posed as recruiters and employees of defense contractors, luring targets in with the promise of jobs.
They were very cautious with their approach. Instead of attempting to load malware through Facebook, the attackers directed their targets to several other domains. Many of them were spoofs—imitations—of legitimate sites.
The over 100 spoofed domains include fake versions of a US Department of Labor job search site, Microsoft, LiveLeak, various Trump organizations, and even SoundCloud.
The hackers even spoofed major email service providers to trick targets into clicking malware-infected links.
Microsoft Excel files were a common mode of transmission. The fake domains and malware were an attempt to steal login credentials to gain access to sensitive information and possibly even for ID theft to further the campaign’s reach.
The hackers maintained consistent personas over multiple accounts on different sites to increase their effectiveness and evade detection.
For its part, Facebook works to identify offending accounts and notify people it believes were targeted. Less than 200 people were warned, while under 200 malicious accounts were removed.