{"id":27,"date":"2021-10-14T14:36:04","date_gmt":"2021-10-14T14:36:04","guid":{"rendered":"http:\/\/pc-keeper.tech\/index.php\/2021\/10\/14\/a-telegram-bot-told-iranian-hackers-when-they-got-a-hit\/"},"modified":"2021-10-14T14:36:04","modified_gmt":"2021-10-14T14:36:04","slug":"a-telegram-bot-told-iranian-hackers-when-they-got-a-hit","status":"publish","type":"post","link":"https:\/\/pc-keeper.tech\/index.php\/2021\/10\/14\/a-telegram-bot-told-iranian-hackers-when-they-got-a-hit\/","title":{"rendered":"A Telegram Bot Told Iranian Hackers When They Got a Hit"},"content":{"rendered":"<p> [ad_1]<br \/>\n<\/p>\n<div>\n<p><span class=\"lead-in-text-callout\">When the Iranian<\/span> hacking group APT35 wants to know if one of its digital lures has gotten a bite, all it has to do is check Telegram. Whenever someone visits one of the copycat sites they\u2019ve set up, a notification appears in a public channel on the messaging service, detailing the potential victim\u2019s IP address, location, device, browser, and more. It\u2019s not a push notification; it\u2019s a phish notification.<\/p>\n<p class=\"paywall\">Google\u2019s Threat Analysis Group outlined the novel technique as part of a broader look at APT35, also known as Charming Kitten, a state-sponsored group that has spent the last several years trying to get high-value targets to click on the wrong link and cough up their credentials. And while APT35 isn\u2019t the most successful or sophisticated threat on the international stage\u2014this is the same group, after all, that accidentally leaked hours of videos of themselves hacking\u2014their use of Telegram stands out as an innovative wrinkle that could pay dividends.<\/p>\n<p class=\"paywall\">The group uses a variety of approaches to try to get people to visit their phishing pages in the first place. Google outlined a few scenarios it has observed lately: the compromise of a UK university website, a fake VPN app that briefly snuck into the Google Play Store, and phishing emails in which the hackers pretend to be organizers of real conferences, and attempt to entrap their marks through malicious PDFs, Dropbox links, websites, and more.\u00a0<\/p>\n<p class=\"paywall\">In the case of the university website, the hackers direct potential victims to the compromised page, which encourages them to log in with the service provider of their choice\u2014everything from Gmail to Facebook to AOL is on offer\u2014to view a webinar. If you enter your credentials, they go straight to APT35, which also asks for your two-factor authentication code. It\u2019s a technique so old it\u2019s got whiskers on it; APT35 has been running it since 2017 to target people in government, academia, national security, and more.\u00a0<\/p>\n<figure class=\"AssetEmbed-cMvzne hQmqZE asset-embed\">\n<div class=\"asset-embed__asset-container\"><span class=\"BaseWrap-sc-TURhJ SpanWrapper-kGGzGm eTiIvU fCMktE responsive-asset AssetEmbedResponsiveAsset-eqsnW ehcXJi asset-embed__responsive-asset\"><picture class=\"ResponsiveImagePicture-jIKgcS fArnhQ AssetEmbedResponsiveAsset-eqsnW ehcXJi asset-embed__responsive-asset responsive-image\"><noscript><img decoding=\"async\" alt=\"screenshot\" class=\"ResponsiveImageContainer-dlOMGF byslZC responsive-image__image\" src=\"https:\/\/media.wired.com\/photos\/616841af9344894cbd842a39\/master\/w_1600%2Cc_limit\/Untitled.png\" srcset=\"https:\/\/media.wired.com\/photos\/616841af9344894cbd842a39\/master\/w_120,c_limit\/Untitled.png 120w, https:\/\/media.wired.com\/photos\/616841af9344894cbd842a39\/master\/w_240,c_limit\/Untitled.png 240w, https:\/\/media.wired.com\/photos\/616841af9344894cbd842a39\/master\/w_320,c_limit\/Untitled.png 320w, https:\/\/media.wired.com\/photos\/616841af9344894cbd842a39\/master\/w_640,c_limit\/Untitled.png 640w, https:\/\/media.wired.com\/photos\/616841af9344894cbd842a39\/master\/w_960,c_limit\/Untitled.png 960w, https:\/\/media.wired.com\/photos\/616841af9344894cbd842a39\/master\/w_1280,c_limit\/Untitled.png 1280w, https:\/\/media.wired.com\/photos\/616841af9344894cbd842a39\/master\/w_1600,c_limit\/Untitled.png 1600w\" sizes=\"100vw\"\/><\/noscript><\/picture><\/span><\/div><figcaption class=\"BaseWrap-sc-TURhJ CaptionWrapper-brisHk cvqUss hvmvbn caption AssetEmbedCaption-eXYFag eyHZTf asset-embed__caption\"><span class=\"BaseWrap-sc-TURhJ BaseText-fFzBQt CaptionText-cOFJqa eTiIvU kgaXEl hTa-dbB caption__text\"><\/p>\n<p>Phishing page hosted on a compromised website.<\/p>\n<p><\/span><span class=\"BaseWrap-sc-TURhJ BaseText-fFzBQt CaptionCredit-cTdqxu eTiIvU borThQ iHbDSe caption__credit\">Courtesy of Google TAG<\/span><\/figcaption><\/figure>\n<p class=\"paywall\">The fake VPN isn\u2019t especially innovative, either, and Google says it booted the app from its store before anyone managed to download it. If anyone had fallen for the ruse, though\u2014or does install it on another platform where it\u2019s still available\u2014the spyware can steal call logs, texts, location data, and contacts.\u00a0<\/p>\n<p class=\"paywall\">Frankly, APT35 are not exactly overachievers. While they convincingly impersonated officials from the Munich Security conference and Think-20 Italy in recent years, that too is straight out of Phishing 101. \u201cThis is a very prolific group that has a wide target set, but that wide target set is not representative of the level of success the actor has,\u201d says Ajax Bash, security engineer at Google TAG. \u201cTheir success rate is actually very low.\u201d<\/p>\n<\/div>\n<p>[ad_2]<br \/>\n<br \/><a href=\"https:\/\/www.wired.com\/story\/apt35-iran-hackers-phishing-telegram-bot\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[ad_1] When the Iranian hacking group APT35 wants to know if one of its digital lures has gotten a bite,&hellip;<\/p>\n","protected":false},"author":1,"featured_media":28,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,19,20],"tags":[],"class_list":["post-27","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apt35","category-security","category-security-cyberattacks-and-hacks"],"_links":{"self":[{"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/posts\/27","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/comments?post=27"}],"version-history":[{"count":0,"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/posts\/27\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/media\/28"}],"wp:attachment":[{"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/media?parent=27"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/categories?post=27"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pc-keeper.tech\/index.php\/wp-json\/wp\/v2\/tags?post=27"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}