In a recent and sophisticated cyber espionage campaign, Iranian state-sponsored hackers have been identified leveraging a counterfeit website that mimics a reputable German modeling agency. This operation aims to gather intelligence and potentially target individuals, particularly those associated with Iranian dissident communities.
The Deceptive Strategy
The threat actors meticulously replicated the website of Hamburg-based Mega Model Agency, ensuring that the fraudulent site closely resembled the legitimate one in terms of branding, layout, and content. This attention to detail was designed to deceive visitors into believing they were interacting with a genuine platform.
Upon accessing the counterfeit site, visitors unknowingly activated obfuscated JavaScript code embedded within the pages. This malicious script was engineered to collect a comprehensive array of data from each visitor, including:
– Browser Configurations: Details about the browser type and version.
– Screen Resolutions: Information regarding the display settings of the user’s device.
– IP Addresses: Both local and public IP addresses were harvested using WebRTC functionality.
– Browser Fingerprints: Unique identifiers generated through canvas fingerprinting techniques.
The collected data was then structured in JSON format and transmitted to an endpoint disguised as an advertising analytics service, specifically located at the path /ads/track. This method allowed the attackers to conceal their surveillance activities within seemingly legitimate web traffic, thereby evading detection.
Technical Sophistication
The operation’s technical complexity is evident in the deployment of the obfuscated JavaScript code. This script performed multiple data collection functions simultaneously, such as enumerating browser languages and plugins, retrieving screen resolution data, and leveraging WebRTC to reveal IP addresses. Additionally, the script implemented canvas fingerprinting techniques to generate SHA-256 hashes, uniquely identifying each device that accessed the site.
Implications and Broader Context
This campaign underscores a concerning evolution in social engineering tactics employed by Iranian cyber actors. By creating an entirely fictitious model profile named Shir Benzion within the fake website, the attackers demonstrated a calculated strategy to lure specific targets. The inclusion of a currently inactive link to a private album suggests preparations for future targeted phishing or malware delivery.
The use of such deceptive tactics is not unprecedented among Iranian cyber espionage groups. For instance, the group known as APT42, also referred to as Charming Kitten, has a documented history of impersonating journalists and human rights activists to steal credentials and access victim cloud environments. In previous campaigns, they have masqueraded as journalists from reputable news organizations, including The Washington Post, The Economist, and The Jerusalem Post, to build trust with their victims and deliver malicious content. ([cybernews.com](https://cybernews.com/news/iran-hackers-social-engineering-mandiant/?utm_source=openai))
Furthermore, Iranian hackers have been known to create fake personas, such as the case of Mia Ash, a fictitious British photographer used to engage targets in prolonged conversations before delivering malware. This level of social engineering sophistication highlights the persistent and evolving threat posed by these actors. ([wired.com](https://www.wired.com/story/iran-hackers-social-engineering-mia-ash/?utm_source=openai))
Conclusion
The recent impersonation of a German modeling agency by Iranian hackers represents a significant advancement in cyber espionage tactics. By meticulously crafting a convincing facade and employing advanced data collection methods, these threat actors have demonstrated a heightened capability to target and compromise individuals of interest. This incident serves as a stark reminder of the importance of vigilance and robust cybersecurity measures, especially for individuals and organizations that may be of interest to state-sponsored actors.
