It is known that in the past five years Microsoft teams were closely following CHARMING KITTEN, known as also APT35 and Ajax Security Team and Phosphorus, because the hacking group attack the computer systems of business and governments in order to steal information.
CHARMING KITTEN are skilled and dishonest and patient. The group target most of all personal accounts using open source information to spear phish the target. The information to deceive targets includes names and companies that the target know and the hackers also use false social media accounts and social engineering to make victims click on attachments.
One of the methodologies by CHARMING KITTEN is to send the email that suggests there is a problem with the victims account and the victim is sent to domains which look almost the same as the real company uses. This methodology was used for social media companies for example LinkedIn and also online message and email companies for example Microsoft and Yahoo and Telegram. If the victim clicks on a link they go to the false login pages and if they use the username and password they can be stolen. CHARMING KITTEN then access the user email account and delete the phishing email to hide their activity.
Sometimes victims are also sent to sites where a malware called ‘Stealer’ is downloaded and records the user keystrokes and takes screenshots of their computer screen.
The fact that many target are people of interest to the government means that there is the question about if the hacking group are employed by the Iranian regime or if it is only that the group have the same feelings as the government on human rights but are not being ordered by the regime.
Microsoft used often legal action with success against hacking groups infrastructure in other country such as Russia.
In March 2019 Microsoft named and took control 99 domains that it believes are used for phishing by the Iranian hacking group CHARMING KITTEN but the hacking group continues to use new domains that look like real companies to deceive victims and Microsoft have named also these new domains in a supplementary injunction order.
One domain that is listed in Microsoft newest legal action is near to the real Iranian university name which reveals that the hacking group is still targeting Iranian institutions. One of the Microsoft domains is a domain bahaius.info that is nearly the same as a organization for people of the Bahai faith in the US. This suggests that CHARMING KITTEN are also trying to deceive the religious minorities into using false login pages and this is important as the Bahai people in Iran are also the target of the activity of the Iranian government indicating that the hacking group may be taking orders from the regime.
The phishing domains listed by Microsoft can be found online on the US injunctions March and May 2019 and if a user wants to see if any other website is in use for spear phishing, the phishtank.com is a good site that can help to do this.