{
	"id": "c8ea7fca-86ae-454e-b765-a4456a14b61e",
	"created_at": "2026-04-06T01:29:43.767056Z",
	"updated_at": "2026-04-10T13:12:40.29665Z",
	"deleted_at": null,
	"sha1_hash": "c836fed62308657e0843bc2adabf4994e2838831",
	"title": "Two-Factor Authentication Phishing From Iran",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 579999,
	"plain_text": "Two-Factor Authentication Phishing From Iran\r\nArchived: 2026-04-06 00:42:39 UTC\r\nSummary\r\nThis report describes an elaborate phishing campaign against targets in Iran’s diaspora, and at least one Western activist. The\r\nongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely\r\nheavily on phone-call based phishing and “real time” login attempts by the attackers. Most of the attacks begin with a phone\r\ncall from a UK phone number, with attackers speaking in either English or Farsi.\r\nThe attacks point to extensive knowledge of the targets’ activities, and share infrastructure and tactics with campaigns\r\npreviously linked to Iranian threat actors. We have documented a growing number of these attacks, and have received\r\nreports that we cannot confirm of targets and victims of highly similar attacks, including in Iran.  The report includes extra\r\ndetail to help potential targets recognize similar attacks. The report closes with some security suggestions, highlighting the\r\nimportance of two-factor authentication.\r\nUpdate: Iranian Gov-Linked Media Respond to Coverage of This Report\r\nIranian media outlet Masregh News, which is reportedly close to Iran’s intelligence and security services, published a\r\nresponse to the reporting around this post. The Masregh article specifically took issue with an IB Times report that draws a\r\nconnection between Citizen Lab’s report and Iran’s Revolutionary Guards. It is important to note that the Citizen Lab report\r\ndoes not make this attribution.\r\nThe Mashregh News report dismisses the connection made in the IB Times, and calls the link between this attack and\r\nprevious phishing around the 2013 election “irrelevant.” The article also intimates that because Iranian media have\r\npreviously reported on phishing attacks, the Iranian Government is not responsible.\r\nPart 1: Background\r\nWhat is Two-Factor Authentication?\r\nTwo-factor authentication (2FA) is an authentication tool used by many services to increase account security against\r\npassword theft and phishing. The most commonly used form of 2FA is to send users a text message with a code once they\r\nhave entered their password. The text message goes to a previously registered phone. When enabled, 2FA frustrates attackers\r\nwho have simply stolen users passwords.\r\nImplementing 2FA raises the bar on phishing attempts: In order to work, the attacker must gain access to both the victim’s\r\npassword, and the single-use code. Typically codes expire quickly, presenting an additional hurdle to an attacker.\r\nAttacks on 2FA: Nothing New Under the Sun\r\nAs researchers have observed  for at least a decade, a range of attacks are available against 2FA.  Bruce Schneier anticipated\r\nin 2005, for example, that attackers would develop real time attacks using both man-in-the-middle attacks, and attacks\r\nagainst devices.   The“real time” phishing against 2FA that Schneier anticipated were reported at least 9 years ago.\r\nToday, researchers regularly point out the rise of “real-time” 2FA  phishing, much of it in the context of online fraud.  A\r\n2013 academic article provides a systematic overview of several of these vectors. These attacks can take the form of theft of\r\n2FA credentials from devices (e.g. “Man in the Browser” attacks), or by using 2FA login pages. Some of the malware-based\r\ncampaigns that target 2FA have been tracked for several years,  are highly involved, and involve convincing targets to install\r\nseparate Android apps to capture one-time passwords.  Another category of these attacks works by exploiting phone number\r\nchanges, SIM card registrations, and badly protected voicemail.\r\nIranian Phishing\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 1 of 10\n\nMany previous phishing campaigns have been described and linked to Iranian attackers. For example,  attacks against Gmail\r\naccounts have been regularly noted, including a report on the Google Security Blog (also available in Farsi here) describing\r\na campaign that escalated before elections in 2013.  At the time, Google also linked this attack to a previous attempt to use\r\nfake SSL certificates for targeted attacks against Gmail accounts within Iran.  In many other cases, Iranian attackers have\r\ncoupled phishing with other forms of malware attack (see below: Not Their First Time: Links With Other Campaigns).\r\nWhile attacks against 2FA are widely documented in the context of online fraud, the rise in use of 2FA by users of free\r\nonline services may be leading other categories of attackers, such as political attackers, to begin developing their own\r\nversions of these attacks.\r\nPart 2: Three “Real Time” Attacks\r\nAttack 1: “The Iran” is logging in to your account!\r\nHow Does This Attack Work?\r\nThis “real time” attack attempts to phish both the user password and the 2FA one-time code.  The attacker does this by\r\nshowing fraudulent pages that simulate the Gmail 2-step login process to the victim.  The attacker collects the victim’s input,\r\nwhile simultaneously logging in to the real Gmail page.  The attacker’s login attempt triggers Google to send a genuine 2FA\r\ncode to the victim, which the attacker then collects and enters themselves.  We have seen several versions of the attack,\r\nincluding one not accompanied by SMSes.\r\nAttack Narrative\r\nThis section gives a narrative of how one version of this attack unfolded. (Personally identifiable information has been\r\nredacted to protect the target’s identity.)\r\nStep 1: SMS from “Google” to create fear of an account compromise\r\nThe attack began with an early morning SMS message sent to the target. The message copied the style of Google SMS alerts\r\nand “notified” the target that there was an unexpected sign-in attempt. The sending number was unknown to the target.\r\nWe believe this message was an attempt to create a pressing concern on the part of the target that a personal account had\r\nbeen compromised.\r\nStep 2: Immediate follow up with “Sign-in attempt” notification\r\nLess than 10 minutes after receiving the first SMS, the target received an e-mail masquerading as a Gmail Log-in attempt\r\nnotification. Importantly, the e-mail was carefully populated with personalized details of the target including the target’s\r\nname, e-mail, and profile picture.\r\nNotably the fake “Unexpected sign-in attempt” notification states that the attempt is from “The Iran.” For a target concerned\r\nabout being hacked by groups in Iran, this could easily create a sense of concern.\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 2 of 10\n\nThe displayed message sender is also an attempt to create a lookalike for a Gmail domain.\r\nno-reply@support.qooqlemail.com\r\nWe found that domain was used in at least one other attack of this type.\r\nStep 3: Trick target into entering password and wait for the 2FA code\r\nClicking on the “Reset Password” link yields a carefully crafted phishing page. We have partially redacted the page URL to\r\nprotect the privacy of the target.\r\nhttp://login.logins-verify[dot]com/[redacted]\r\nThe page is personalized for the target, and includes the target’s e-mail address and name. It includes additional code,\r\nborrowed from Google, to create the appearance that the target is viewing a genuine Google page.\r\nEntering information in this page and clicking on “Change Password” leads to a second page that appears to be a 2FA code\r\nrequest.\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 3 of 10\n\nFor this attack to work, the attackers must actively monitor the phishing page. Once the target enters their password into the\r\nphishing site the attackers likely use the credential to attempt to log in to gmail. The attacker’s login attempt then triggers\r\nthe sending of a 2FA code from real Google to the target. They then wait for the target to enter the 2FA code from Google.\r\nOnce the target enters the code, the attackers are able to take control of the account and (presumably) change the credentials.\r\nStep 4: Keep up the pressure with fake 2FA notifications\r\nIn this case, the attack failed. The target sensed something was not right and did not enter any credentials. Over the next\r\nhour, perhaps growing frustrated, the attackers sent the target a stream of fake SMS messages. These messages purported to\r\nbe a Google 2FA verification code. The target received more than 10 messages in short succession. Most messages came\r\nfrom different numbers, all unknown to the target.\r\nWe suspect that these messages were an attempt to put psychological pressure on the target, and enhance the fiction that an\r\nattacker already had the target’s password. The attackers must have hoped that enough messages would trigger action. The\r\nfinal ruse failed, and the attack was unsuccessful.\r\nAttack 2: Relax, I Already Know A Lot About You\r\nHow Does This Attack Work?\r\nThis second attack, which we tie to the same actors, has similar characteristics. In this case, the bait is slightly different,\r\ninvolving a phone call and a proposal. The ultimate goal, again, is to convince the target to enter both their password and\r\n2FA code.\r\nAttack Narrative\r\nStep 1: Call up target with a ‘proposal’\r\nThe attack began with a morning call from a number in the UK. A male voice spoke in Farsi under the pretext of offering a\r\npotential collaboration.  The attacker mentioned that it was related to activities in which the target was involved, both on and\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 4 of 10\n\noffline. The caller, presumably one of the attackers (or a confederate), demonstrated extensive knowledge of the target’s\r\npersonal hobbies and professional activities.\r\nAfter making several comments, which served to alarm rather than reassure the target, the unknown caller proposed a\r\nbusiness project related to the target’s activities. The call ended with the caller promising to send the target a proposal.\r\nStep 2: Immediate follow up with a ‘proposal’ and a fake Google Drive link\r\nShortly after the phone call, the target received an email on a personal account that was not publicly used. The e-mail\r\ncontinued the deception, and used the same name as the caller.\r\nThe e-mail is written in a way that roughly mimics a Google Drive shared file notification. The body text proposes a project\r\nsweetened by the promise of tens of thousands of dollars.\r\nStep 3: Trick target into entering password and wait for the 2FA code\r\nClicking on the “Document.pdf” link leads to a fake login page for Google Drive. Again, the login is pre-populated with the\r\ne-mail and name of the target, indicating a high degree of customization.\r\nThe domain of the page (logins-verify.com) is clearly an attempt at looking official, as is the excessive subdomain (again\r\nredacted to protect the identity of the target).\r\nhttp://login.setting.verification.configuration.user.action.first.step.edit.check.privacy.view.document.setting.verification.configurat\r\nverify[dot]com/[redacted]\r\nEntering text into the login page and clicking on “View Document” yields a fake 2FA authentication page.\r\nAttack 3: Just Open the File, I’m a Journalist!\r\nHow Does This Attack Work?\r\nThis attack is similar to Attack 2, although in these cases the attack masquerades as a request from a member of the media.\r\nThe calls also come from UK numbers, one of which was shared across multiple attacks. One such attack targeted Jillian\r\nYork, Director for International Freedom of Expression at the Electronic Frontier Foundation. She has agreed to allow us to\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 5 of 10\n\nname her and share additional details on the attack that targeted her. York is the only non-Iranian target we are aware of, and\r\nmay have been included because her work includes extensive professional contact with Iranian advocacy groups.\r\nAttack Narrative\r\nStep 1: Early morning phone call\r\nJillian York of the Electronic Frontier Foundation was woken early in the morning by a phone call from a number in the\r\nUK.1 A male voice identified himself as a journalist with Reuters and began with small talk that indicated some knowledge\r\nof her activities. The connection was not good and the caller immediately rang back. He said there was something he wished\r\nto discuss and verified that he had the correct e-mail address for York.\r\nStep 2: Send the bait\r\nImmediately after the phone calls, York received an e-mail masquerading as sent from the Reuters news agency’s “Tech\r\nDep” and promising an interview. The spoofed e-mail contains some errors, including the misspelling of “Reutures.” The e-mail is slightly more sophisticated than those seen in earlier Google Docs style phishing from the same group\r\nAs with the other attacks the e-mail masquerades as a Google Docs e-mail share but is, in fact, a link to a phishing site,\r\nlightly disguised with a Google redirect.\r\nhttps://www.google.com/url?q=http%3A%2F%2Freuters.users.check.login.newsia[dot]my%2FDr-Check%2FAutoSecond%3FChk%3Dj5645hgfgh5gff\u0026sa=D\u0026sntz=1\u0026usg=AFQjCNF7FFFdEDdao4J8bYqow6uTZDx18w\r\nInterestingly, the text “Reutures, Tech Dep has shared the following PDF” contains a link to the following Gmail address.\r\nThe same address is present in the “reply to” of the message.\r\nmailto: bijan.yazdani2002@gmail.com\r\nOther attempts also contain e-mail addresses in the e-mail body, but we are not including them to preserve the anonymity of\r\nother targets.\r\nStep 3: Keep up the pressure\r\nThe target did not immediately click the link, and the attacker, probably anxious for his effort to pay off, called back. York\r\nprudently said that if he wished to send a message it should be included in the message body.\r\nStep 4: If at first you don’t succeed\r\nThe attacker then sent a second message, this time using another name. The message contained another fake Google Doc\r\nlink. This time the attacker used a different e-mail address with a western sounding name “Alex Anderson.” The phishing\r\nlink is the same as the earlier message.\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 6 of 10\n\nThe attacker followed up with another call, further attempting to persuade York to open up the document. The efforts failed,\r\nwith the attacker’s tone becoming increasingly “belligerent.”\r\n“This is from my personal address! Just open it!”- The increasingly frustrated attacker on the phone\r\nIn total, the attacker called York more than 30 times over the next day. The attack had failed.\r\nStep 5: Other avenues\r\nWhile this attack was ongoing, York’s Facebook account was targeted with password reset attempts. As the attacker did not\r\ncontrol her recovery e-mail accounts, the attempts failed.\r\nPart 4: The Attacker? Many Clues\r\nThe attacks we have reported here stand out by virtue of both the extensive effort expended by the attackers, and their\r\nseemingly detailed knowledge of the public and private activities of their targets. We have observed this campaign over\r\nseveral months, and note that it has undergone slight evolution.\r\nPhishing Infrastructure\r\nThe attacks share a wide range of features, and in some cases the same domain. A key feature of the domain registrations is\r\nimpersonating the WHOIS for Google. For example, Attacks 1 and 2 both use the domain “logins-verify[dot]com”\r\nWhois for logins-verify[dot]com\r\nDate Checked\r\n2015-06-28\r\nRegistrant\r\nGoogle Inc.\r\nRegistrar\r\nOnlinenic Inc\r\nCreated\r\n2015-06-27T04:00:00+00:00\r\nUpdated\r\n2015-06-27T03:27:15+00:00\r\nExpires\r\n2016-06-27T04:00:00+00:00\r\nName Servers\r\nns1.dns-diy.net, ns2.dns-diy.net\r\nEmail\r\ngmail-aduse@google.com (a,t,r)\r\nName\r\nMarkMonitor, Inc. (a,t,r)\r\nOrganization\r\nGoogle Inc. (a,t,r)\r\nStreet\r\n1600 Amphitheatre Parkway (a,t,r)\r\nCity\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 7 of 10\n\nMountain View (a,t,r)\r\nState\r\nCA (a,t,r)\r\nPostal\r\n94043 (a,t,r)\r\nCountry\r\nUS (a,t,r)\r\nPhone\r\n16502530000 (a,t,r)\r\nFax\r\n16506188571 (a,t,r)\r\nNotably, however, the WHOIS record contains an interesting typo:\r\ngmail-aduse@google.com\r\nWe found that this misspelled e-mail was also used to register a range of other domains with an apparent phishing focus:\r\nDomain IP IP Organization Org Country\r\nservice-logins[.]com 162.222.194.51 GLOBAL LAYER BV US\r\nlogins-verify[.]com 162.222.194.51 GLOBAL LAYER BV US\r\nsignin-verify[.]com 141.105.65.57 Mir Telematiki Ltd RU\r\nlogin-users[.]com 31.192.105.10 Dedicated servers Hostkey.com RU\r\naccount-user[.]com 141.105.66.60 Mir Telematiki Ltd RU\r\nsignin-users[.]com 162.222.194.51 GLOBAL LAYER BV US\r\nsigns-service[.]com 141.105.68.8 hostkey network RU\r\nMeanwhile, other attacks similar to Attack 1 (but not described in detail above) use a similar-looking domain to host an\r\nidentical phishing page.\r\nservices-mails[dot]com\r\nMany of the attacks disguise the phishing page URL by using a redirect through Google.\r\nhttps://www.google.com/url?q=http%3A%2F%2Fservices-mails.com%2F[REDACTED]\r\nThe WHOIS for this domain also contains a fake Google registration, although it lacks the misspelling found in the other\r\ndomains. Currently, the domain resolves to the following:\r\nDomain IP IP Organization Org Country\r\nservices-mails[.]com 134.19.181.85 GLOBAL LAYER BV NL\r\nFinally, the phishing site described in Attack 3 appears, unlike the others, to be a compromised domain belonging to a\r\nMalaysian company that provides bus services in Southeast Asia.\r\nreuters.users.check.login.newsia.my\r\nE-mails\r\nMany, but not all of the attacks, spoofed the domains of legitimate sites. The attackers appear to be using a php mail script\r\nloaded onto compromised websites. For example, many attacks used the website of a Texas lawyer specializing in injuries\r\nduring birth. We contacted the firm, and they deleted the malicious scripts and updated their site.\r\nIn other cases, the attackers seemed to have used lookalike domains in the reply-to, like:\r\nqooqlemail.com\r\nAlthough we were not able to confirm whether the attackers control this domain, the WHOIS for this domain may represent\r\nan interesting avenue for future research:\r\nRegistrant Name: Ali Mamedov\r\nRegistrant Organization: Private person\r\nRegistrant Street: versan 9, 16/7\r\nRegistrant City: Kemerovo\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 8 of 10\n\nRegistrant State/Province: other\r\nRegistrant Postal Code: 110374\r\nRegistrant Country: RU\r\nRegistrant Phone: +7.4927722884\r\nRegistrant Email: kavaliulinovich@gmail.com\r\nThe e-mail address:\r\nkavaliulinovich@gmail.com\r\nHas been previously associated with another potential phishing domain:\r\nbluehostsupport.com\r\nFinally, several of the messages came from e-mail accounts hosted on free mail services, like Gmail. For example:\r\nbijan.yazdani2002@gmail.com\r\nInterestingly, some of the addresses used in the phishing campaign are associated with active (although likely fraudulent)\r\nsocial media profiles.\r\nNot Their First Time: Links With Other Campaigns\r\nThe misspelling in the WHOIS record also directed us towards previous reports:\r\nThe ClearSky Sec report notes other attacks described by security companies with similarities in practices used by attackers\r\n(but not always similarities in infrastructure). These include:\r\nInterestingly, the shared connections, tools, techniques and practices across threat groups do not necessarily indicate\r\ncollaboration, or conclusive attribution. It may be that these threat actors actively share techniques and practices that work.\r\nThis report expands on what is known about the targets of interest to this group, and further indicates an interest in Iranis in\r\nthe diaspora, and particularly those who are activists.\r\nConclusion\r\nTwo-factor authentication won’t eliminate phishing, but this case shows how it increases the time and effort attackers must\r\nexpend. In this case, attackers had to phish two pieces of information: the password and the two-factor authentication code.\r\nThe deception had to last through an entire falsified login flow. This approach required a more involved deception than a\r\nsimple one-off phish, which the attackers may have learned through trial and error. Moreover, they had to phish in “real\r\ntime,” given the expiration time of the two-factor authentication code. The effort involved suggests that, without serious\r\nautomation, this attack technique will not scale well.\r\nThe attack also revealed several telling details about these attackers that complement previous reports. First, the attackers\r\nhave targets that extend beyond the groups mentioned in reports by Clearsky and Trend Micro, and into activist circles.\r\nSecond, these attackers have clearly conducted some detailed research into their targets’ activities, further suggesting a\r\nhighly targeted attack.\r\nAlthough “real time” attacks against two-factor authentication have been described for at least a decade, there are few public\r\nreports of such attacks against political targets.  It may be that, as a growing number of potential targets have begun using\r\ntwo-factor authentication on their e-mail accounts out of a concern for their security, politically-motivated attackers are\r\nborrowing from a playbook that financial criminals have written over the past decade.\r\nPractical Note: Two Steps Attackers Hate!\r\nUse Two Factor Authentication\r\nThe extra deception that the attackers were forced to use in these cases was spotted by those who shared attacks with us.  By\r\nusing two-factor authentication and staying vigilant, the targets stayed safer.  Implementing two-factor authentication\r\non all of your accounts is an important security step for everyone.  Click here for a comprehensive list of two-factor\r\nauthentication providers.  Google also recommends that, for increased security, you use the Google Authenticator App over\r\nthe text-message based approach.  Click here for a guide to setting up the Google Authenticator App.\r\nIf you want to take the next step and prevent this whole class of phishing, consider investing in an inexpensive U2F Key to\r\nuse with compatible online accounts.\r\nOne Quick Check to Spot These (More Obvious) Fakes!\r\nWhen you are logging into Gmail or other mail services you should always see “https://www.accounts.google. com” or\r\nsimilar at the front of the webpage URL. Here is a real Gmail login (left) and a fake login page (right).2\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 9 of 10\n\nSome fakes won’t be so sloppy. Some attackers may get a certificate for a malicious domain, and it is possible (although\r\ndifficult to do and hide) to get a fraudulent certificate for a major domain.  Still, looking to make sure the base domain is\r\ncorrect is a simple practice worth following.\r\nSpecial Thanks\r\nThe anonymous targets who have generously shared these materials with us; Jillian York (EFF); Citizen Lab colleagues\r\nincluding Morgan Marquis-Boire, Masashi Crete-Nishihata, Bill Marczak, Ron Deibert, Irene Poetranto, Adam Senft, and\r\nSarah McKune; Gary Belvin (Google) and Justin Kosslyn (Google Ideas); Cyber Arabs; Jordan Berry, Nart Villeneuve; and\r\ntwo anonymous colleagues.\r\nThanks also to Frederic Jacobs who suggested a change to the wording of the HTTPS check text.\r\nSource: https://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nhttps://citizenlab.ca/2015/08/iran_two_factor_phishing/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://citizenlab.ca/2015/08/iran_two_factor_phishing/"
	],
	"report_names": [
		"iran_two_factor_phishing"
	],
	"threat_actors": [
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438983,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c836fed62308657e0843bc2adabf4994e2838831.pdf",
		"text": "https://archive.orkl.eu/c836fed62308657e0843bc2adabf4994e2838831.txt",
		"img": "https://archive.orkl.eu/c836fed62308657e0843bc2adabf4994e2838831.jpg"
	}
}