A multi-faceted hacking campaign has targeted high-profile individuals across the Middle East, using deceptive WhatsApp messages to steal credentials, hijack accounts, and conduct surveillance. The targets included activists, academics, a senior Lebanese cabinet minister, and the head of an Israeli drone manufacturer, revealing a broad and ambitious operation.
The attack was first brought to light by Nariman Gharib, a U.K.-based Iranian activist, who received a suspicious WhatsApp message containing a phishing link. An in-depth investigation by security researchers and journalists uncovered the campaign’s sophisticated mechanics and its success in compromising dozens of victims.
The Anatomy Of The Attack
The attackers initiated contact via WhatsApp, sending a message with a link designed to look like a legitimate communication from the messaging service. These links utilized DuckDNS, a dynamic DNS provider, to mask the true destination and lend an air of authenticity.
Upon clicking the link, victims were redirected to a meticulously crafted phishing site. Depending on the target, this site would display a fake Gmail login page or a page requesting their phone number. The goal was to trick the user into entering their username, password, and any two-factor authentication codes sent to their device, effectively giving the attackers complete access to their accounts.
Surveillance Beyond Credential Theft
The campaign went beyond simple credential theft. In some cases, the phishing link led to a fake WhatsApp-themed page displaying a QR code. The lure aimed to trick the target into scanning the code, a technique that abuses WhatsApp’s device linking feature to instantly grant the attacker full access to the victim’s account and messages.
Furthermore, analysis of the phishing site’s source code revealed that it was built to conduct active surveillance. Upon loading, the page would trigger browser notifications asking for permission to access the user’s location, camera, and microphone. If permission was granted, the page could continuously transmit the victim’s GPS coordinates and intermittently capture photos and audio recordings, turning their own device into a surveillance tool.
Unmasking The Victims
A critical error by the attackers left a server file exposed without a password. This file contained a real-time log of all data entered into the phishing site by victims, essentially acting as a keylogger. It stored over 850 records, including usernames, passwords, two-factor codes, and the device information for each target.
This exposed data allowed investigators to confirm that dozens of individuals were successfully hacked. The victim list spanned the region and included a Middle Eastern academic in national security, a senior Lebanese government official, at least one journalist, and business leaders, highlighting the campaign’s focus on influential figures.
Questions Of Attribution
The identity and motivation behind the attackers remain unclear, with evidence pointing in conflicting directions. Security experts note that the highly targeted nature of the attacks, the focus on espionage, and the social engineering techniques bear the hallmarks of a state-sponsored operation, potentially linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).
Conversely, analysis of the domain infrastructure used in the campaign suggests it may be connected to a financially motivated cybercrime operation. Some of the domains were registered months in advance, a common practice for criminal groups. It is also possible that a state actor outsourced the operation to a criminal hacking group to maintain plausible deniability.
About TechCrunch
TechCrunch is a leading global publication focused on the tech industry, startups, and venture capital. Founded in 2005, it provides breaking technology news, analysis of emerging trends, and profiles of new companies and products. Its reporting often includes deep dives into cybersecurity threats and their impact on the global tech landscape.
Source: TechCrunch
