The report of Cyber Attack to me by Iran GOV hackers

The report of Cyber Attack to me by Iran GOV hackers

My Gmail and some social network accounts were attacked recently by Iranian hackers and they totally got out of my reach. Although stolen accounts were taken back, but knowing how these kind of cyber-attacks happen will be useful and necessary for readers.

This attack was a type of phishing or social engineering and somehow it was new and unique of its kind. In such a way that I received a twitter message from a colleague and friend at 3 am, and it was about study and evaluation of a subject which was planned to release in a few days. This twitter account really did belong to my friend and that message was exactly about what we had talked about before.

It means hackers hacked my friend before planning to attack me and not only did they have control of his account but also, they knew about his conversations and connections and they knew about our working.

They even knew we use google drive to transfer working files. Thus, they put their hack link in a designed page like google drive by Google Sites then sent it to me by twitter when they were sure that because of sleepless nights, I am less aware of verifying the link.

I woke up after a phone alarm at midnight and that was my friend’s message and I opened the link by computer. The page contained a file for download. By clicking on that file, it transferred me to a page that showed the browser of the computer that remembered my username and password for accessing to google drive and because of my two-step verification of Gmail was active, it asked me to enter the passcode which had been sent to my phone to the specified section.

After a few seconds, security code was sent to my phone and I entered it, but instead of transferring to google drive, I was taken back to the home page of Gmail. In this moment I realized that it wasn’t normal and probably it was a cyber-attack. Less than 30 seconds later I understood by a supporter email that hackers changed my phone number, password and other details of my Gmail and they were trying to access my other emails and social networks like LinkedIn and Instagram.

The message has been sent by hackers to me by my friend Twitter account

پیام هکرها

Instantly I checked hacker’s link and simultaneously I contacted google and other accounts and blocked them.

Hackers immediately made that page unavailable for me. But I could find the main address and links by cookies and the traces that were left.

Hackers by using HTML, java and CSS code which had put in a HTML index file, transferred the victim from google drive to an address that was taken from a Russian shortcut-link site and a second main source of phishing was connected.

By information of this link and scanning the server, I tried to get access to the server and finally I reached the main management page of the hackers.

هک احمد باطبی

The phishing page was made by a script. This script could generate a special phishing page for two  with yahoo and google email platforms.

I succeeded in downloading the script which made the phishing from this hacker’s server.

The platform of hackers with the script had installed on server of apache version 2.4.35, SSL protocol and php version 7.2.11. default structure of management section platform had changed and personalized it for using in script producer of phishing pages.

This script allowed hackers to make a private page for yahoo and google email of victim just by entering the victims email in the fake page of this script which could receive the two-step verification password of victim email and display it in script management section for hackers. The foundation of all these hacking pages were based on social engineering and victim deception. Three codes of CSS, HTML and java programs were put in one HTML index file. This program made a page like google pages by calling some files of google and some information of users’ Gmail account and asked the password of two-step verification from the victim. The script was written in the way that if the pages were opened or entering the password by victim, hackers were notified by sending email and they immediately signed in and changed the information of them before victim reactions. From here you can see one of the pages that were made by this script. 

In management section of this script, hackers were able to access information like IP, system configurations and type of browser meanwhile they observed victim behavior and stopping phishing attack from this section simultaneous they were planning a strategy for next attacks or changing the conditions of them.

هک احمد باطبی

About my Gmail hacking, they announced my phone number to google by opening message of phishing page in script management section. While my phone number was found before, so I could receive the security code of two-step verification. Instantly after entering it on the phishing page, hackers received it and they asked Google’s server to change the password and they took over my Gmail by changing the password. Also, it’s not unlikely that they had stolen my password before by other ways or extracted it from browser memory in the same time.

Some emails of domestic and foreign journalists or even professors of American university and active people in media were found between emails of hackers’ attack list and some others hadn’t been defeated against cyber-attacks yet.

You can see some targets and victims of hacker in this video

Hackers were using VPN to be unknown but checking some negligences of them showed that they had attacked from some stations of Pasdaran region and Jomhori street in Tehran.

Further information and details have been investigated by two security team in United States and Europe and the result is sent to US police. Also, victims and people who are targeted by these hackers’ attacks list have been notified and trained against any hacker’s attack.

Phishing attacks become more complicated than before and they upgrade their security factor that makes them up to date and more complicated. For example, hackers have controlled a working project and used my friend and colleague as a bait in social engineering. It means it’s not unlikely that other people don’t know about it and they become victim of hackers by using others as bait.

In any case, what makes cyber-attacks successful are human mistakes alone. Therefore, being watchful, carefully and up to date into available technology can protect people more than any other security software against cyber-attacks.