
"They are trying their best to hack me and my friends," he said in an online chat, adding that he wasn't scared because he, as well as his friends, are aware of the hackers' techniques.Researchers at Citizen Lab and elsewhere, who worked closely with the anonymous Iranian victims, detail three types of attacks aimed at Iranian activists, as well as one against Jillian York, the Director for International Freedom of Expression at the Electronic Frontier Foundation."They are trying their best to hack me and my friends."
Screenshot of the email sent by the hackers to Jillian York. Image: Citizen Lab
At that point, the alleged journalist "got angry" and frustrated, even demanding, "This is from my personal address! Just open it!""It was sort of pathetic at that point," York said, and she stopped answering the phone.The caller, whoever he was, didn't give up easily, and called her a total of 35 times that day. In the meantime, York noticed that somebody was trying to reset her password on Facebook too.Her case is just one of many, according to John Scott-Railton, one of the researchers who worked on the Citizen Lab report, and that's without considering the countless cases that go unreported or completely unnoticed.The goal of all these attacks was to get the targets to a phishing page that looks a lot like a Google login page, but is actually under the control of the hackers, who monitor it in real-time. Some of the techniques used, the researcher noted, are borrowed from known attacks used with financial motivations."That's when I knew something weird was going on."

Some clues revealed in these attacks, such as the infrastructure behind them, link the hackers in this campaign to other previously-[reported](http://www.clearskysec.com/wp-conte nt/uploads/2015/06/Thamar-Reservoi r-public1.pdf) cyberespionage operations attributed to the Iranian government, according to the report.Moreover, some of these attacks resemble other attacks that Gharib, as well as other cybersecurity experts and Iranian activists, shared with me last year.The goal of all these attacks was to get the targets to a phishing page that looks a lot like a Google login page, but is actually under the control of the hackers.
At the time, Amir Rashidi, a researcher on internet freedom in Iran, told me that several journalists and producers at BBC Persian had been targeted by various phishing attacks. (This was also confirmed to me by Nima Akbarpour, a producer and reporter who focuses on technology for BBC Persian.)Ebrahim Nabavi, a famous Iranian writer, was also targeted, specifically with an email that contained a fake link to a Google document, Rashidi said. Nabavi shared some details of his attack in a post on Facebook.Adam Meyers, a researcher at Crowdstrike, a security firm that has investigated Iranian hackers in the past, told me last year that all these attacks trace back to the same hackers, who have links to the Iranian government. Given that these attacks don't involve the use of unknown "zero-day" computer vulnerabilities, nor spyware, they might not be considered technically sophisticated. But, nonetheless, they are "effective," Meyers said.When #Iran's cyber Army is trying to hack my friends Gmail's accounts by sending them #Phishing email. #Security pic.twitter.com/0soRoLmCBc
— Nariman Gharib (@ListenToUs) September 22, 2014
That's why Iranian activists, as well as journalists in the diaspora should be careful, according to York."This attack wasn't very sophisticated. I don't think any of us fell for it," York said. "But what makes it interesting to me is how persistent the attackers are, which means they're likely to eventually snare someone, putting our entire networks at risk. We need to be vigilant."In the meantime, everyone should turn on two-factor authentication, because "attackers have to spend much more effort to get attacks to work," Scott-Railton told me. "It makes the deception involved in phishing much harder.""We need to be vigilant."
