A substantial barrage of phishing attacks against large Israeli companies shows Iran’s targeting of Israel is not limited to the battlefield but rather encompasses never ending attempts in cyberspace as well.
On August 4, the systems of Perception Point (Perception-point.io), a cybersecurity firm that aims to protect user workspaces from various attacks delivered via email and other apps, detected a malicious email campaign targeting thousands of employees in dozens of companies.
The email, titled “IDF Alert: Guidelines for Citizen Safety,” falsely claimed to provide crucial safety guidelines for the ongoing war and urged recipients to download an official document. Users who clicked the link in the email were redirected to download a preconfigured remote control app, allowing attackers to take complete control of the device and potentially infect other devices on the company’s network.
“The attackers’ goals may have included extortion, embarrassing Israeli companies, or more severe actions like compromising critical infrastructure, wiping out data of computers, and even causing physical harm,” explained Tal Zamir, CTO of Perception Point. “It should be noted that this attempt used several sophisticated evasion tactics, including hosting the remote control app on a legitimate hosting service often featured in the allow list of organizations, as well as being properly digitally signed by a legitimate IT software vendor, bypassing many traditional protections,” Zamir added.
“We cannot give the names of the organizations because they are our clients and we maintain their privacy, but I can say that some of them are large Israeli infrastructure companies. Our system automatically blocked all of these malicious emails before they reached users’ inboxes, so none of the organizations we protect were affected by this attack to the best of our knowledge,” he stressed.
Zamir suspects that the attack attempts originated in Iran. “Based on the timing, the attack theme, and the specific remote control app used, we suspect the threat actor is a cyber espionage group associated with Iran’s Ministry of Intelligence and Security (MOIS),” he explained. “This specific group, known as MuddyWater in the security community, has previously targeted private organizations across the Middle East and used the same agent for remote system management and lateral movement.”
Zamir commented that Perception Point has noticed a spike in email campaigns targeting Israeli companies since October 7. One example is a pro-Hamas attack by the “Handala” group that delivered wiper malware for Windows and Linux servers via an email campaign, risking Israeli infrastructure. “In that instance, the email was entirely in Hebrew and focused on requiring IT administrators to deploy a new software update for their servers,” he elaborated.
How users can protect themselves from phishing attacks
Perception Point’s core technology, developed in-house over the past seven years, aims to provide detection capabilities for highly evasive malware, social engineering, phishing, and other threats. “Our system has previously exposed numerous zero-day vulnerabilities, exploits, account takeovers, and advanced evasive phishing and ransomware attacks,” Zamir said, adding that the company pioneered protection against quishing (QR phishing), multi-step phishing attacks, and social engineering protection through AI and semantic understanding of email content.
When asked what tips he can offer to users around the globe in order to remain safe from such attacks, Zamir replied: “First and foremost, always look at the domain of senders, as well as domains in email links. For example, a fake IDF ‘alert email’ came from the address IDFAlert @miraclecenter.org. Needless to say, ‘miracle center’ is not an official IDF domain. Official communications should come from the proper domain of the organization. Also, watch out for slight domain alterations, such as ‘1df’ instead of ‘idf’.
“Secondly, don’t open links from unknown sources: Avoid opening documents or websites from suspicious sources and never enter your password or one-time code on websites from dubious senders,” he said.
“Thirdly, verify directly with the sender: If an email asks you to call a number or visit a vendor’s website via a provided link, independently verify the contact information by browsing to the official website or using known contact details. Links and numbers in emails can be fake and lead to attacker-controlled sites or phone lines,” the cybersecurity expert said.
“Finally, make sure to report suspicious emails: if in doubt, report suspicious emails to your security or IT administrator. Use built-in phishing reporting tools in standard email clients like Gmail and Outlook,” Zamir said.
“Given the current war situation in Israel, it is crucial to be extra vigilant with incoming messages.”
This article first appeared in The Jerusalem Post, written by Ohad Merlin on August 6, 2024.