Google Reports ‘Political’ Phishing Attacks In Iran

By | June 13, 2013

Posted in: Network Security Trends

Phishing attacks in Iran have spiked dramatically in recent weeks and appear to be related to presidential elections in the country tomorrow (Friday June 14), Google said this week.

Eric Grosse, vice president of security engineering, said in a blog post that over the last three weeks the company had detected and disrupted “multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users. These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region. The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday.”

Grosse said the Chrome browser had previously helped to detect that the same group – which he did not name but hinted was “state-backed” --  was using SSL certificates to conduct attacks  targeting users within Iran.

“In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance,” he said. “If the user clicks the link, they see a fake Google sign-in page that will steal their username and password.”

Grosse said Google notified users of state-sponsored attacks and other suspicious activity and took “appropriate actions to limit the impact of these attacks on our users. Especially if you are in Iran, we encourage you to take extra steps to protect your account.”

He said using a modern browser like Chrome and enabling two-step verification would help users protect themselves. “Also, before typing your Google password, always verify that the URL in the address bar of your browser begins with If the website’s address does not match this text, please don’t enter your Google password.”

Grosse’s blog post this week followed one on June 5 (  in which he said Google was providing toolbar warnings saying “We believe state-sponsored attackers may be attempting to compromise your account” to a sub-set of users who were the targets of such attacks.

“If you see this warning it does not necessarily mean that your account has been hijacked,” Grosse said at the time. “It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account.”
He added: “You might ask how we know this activity is state-sponsored. We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored.”

You May Also Be Interested In: