Google said that it has delivered over 50,000 warnings to users whose accounts have been targeted by government-sponsored phishing or malware attempts thus far in 2021, a nearly 33% increase over the same period in 2020.
The company stated that it delivers these alerts in batches to all customers who may be in danger, rather than immediately upon detection of a threat, in order to prevent attackers from tracking defensive methods.
“On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings,” Google said in a blogpost.
According to the blog post, the company disrupted many major attacks this year by a different government-backed attacker — APT35 — an Iranian gang that regularly conducts phishing campaigns targeting high-risk customers.
For years, this group has employed account hijacking, malware deployment, and innovative ways to undertake espionage in support of the Iranian government’s interests, the company stated.
APT35 infiltrated a website associated with a UK institution in early 2021 to host a phishing kit. To harvest credentials for platforms such as Gmail, Hotmail, and Yahoo, attackers sent email messages with links to this website.
By logging in, users were asked to activate an invitation to a (false) webinar. Additionally, the phishing kit will request second-factor authentication codes to be transmitted to devices.
Since 2017, APT35 has used this technique to target high-value accounts in government, academia, journalism, non-governmental organizations, foreign policy, and national security.
Credential phishing via a hijacked website highlights how far attackers will go to appear legitimate – as they are well aware of how difficult it is for consumers to identify this type of attack.
Google spotted APT35 attempting to upload spyware to the Google Play Store last May. The app was disguised as VPN software and, once installed, was capable of stealing sensitive data from smartphones, including call logs, text messages, contacts, and location data.
Google promptly identified the app and removed it from the Play Store before any customers could install it.