According to a recent report, an Iranian APT group has been speckled creating a spoofing website. For this, they are using a cybersecurity company that is outed. They are doing this as a lure.
Charming Kitten has been in operation since 2014, and its activities were laid bare in a December report by Israeli security vendor Clearsky Security.
The firm claimed that they had got more than 85 IP addresses, 240 malicious domains, hundreds of hosts, any type of fake entities and even potentially thousands of users that are the linked to this group.
This week, in a series of tweets the company declared that it had searched the same group build-up a fraud website that is developed to capitalize on interest in the vendor’s findings.
It said that this infected website is clearsky security\.net and the real site is http://clearskysec.com.
The firm said that they are copied some of the pages from their public website and modified one of them to comes with a ‘sign in’ option with any type of services.
These provided sign-in options are all come from infected pages that would send the essential user details to the hackers. Their valuable website is not providing any type of sign in option. It seems that the impersonating site is still being generated because some of the pages are showing error messages in them.
According to the firm, in all of them, one of the infected pages even displayed content of a previously outed Charming Kitten campaigns.
In all of them, the group is just one of an increasing list of Iranian APT groups most likely backed by the government. These come with APT34, observed most updated by FireEye back in December. It will target the governments in the Middle East.
Also notable is the CopyKittens group recognized by Clearsky and Trend Micro. Dating back to 2013 it’s focused on stealing data from Western and Middle Eastern government, defense and academic companies via custom and commercial tools.