Mossad fake job site network targeting Iranian spies

The job hunters at VIP Human Solutions have a unique goal for those working in sensitive security jobs in Hezbollah and the Assad regime: come work for us in Israel.

Beneath an image of the Israeli flag and a contact number with Israel’s country code, the VIP Human Solutions website advertises itself as a “VIP center for recruiting the best personnel in the Syrian army and security services.” and Hezbollah in Lebanon” which “specializes in research and consulting in political science and security studies anywhere in the world. “For those with the right experience, headhunters Human Solutions people promise fast recruitment and high pay.

The VIP Human Solutions website is one of 16 such websites using the same pitch, phrase, logo, phone number, and for some of the web infrastructure over the past four years to solicit ex-spies and soldiers in Iran, Syria and Hezbollah. to work for Israel. Intelligence experts say the crude and clumsy websites are fake, with no legitimate connection to Israeli spy services. But bogus employer websites persist, rise and disappear at several organizers during the same 4-year period to pitch to Internet users in Iran, Syria, and Lebanon through Google Ads.

The Daily Beast cannot attribute job sites to any particular agent or determine their true purpose.. But at least one group of Iran-focused cybersecurity researchers say they suspect the intelligence job sites are part of a counterintelligence effort run by operators with ties to Iran.

Amin Sabeti, a cybersecurity expert and director of Computer Emergency Response Team in Farsi (CERTFA), believes that job sites are “a honey trap by [Iranian] regime to identify potential people who want to work with foreign intelligence agencies. ”

They also went unnoticed in Iran, where social media users expressed anger and confusion at being targeted by Google Ads for recruitment from one of Tehran’s rivals.

The Daily Beast found these sites as part of an investigation into a series of fraudulent websites that apparently masqueraded as think tanks and news organizations focused on the Middle East and national security. . Those sites include domains intended to trick users into believing they are affiliated with consulting organizations such as the Quincy Institute for Responsible Planning, the Stimson Center, the Gatestone Institute, and the Begin-Sadat Center based. in Israel and news agencies such as Jerusalem Post, Business Insider and based in the United Arab Emirates Khaleej . Times.

Neither The Daily Beast, the cybersecurity company Mandiant, nor Google or Facebook, where the sites have accounts, can determine who is behind the phishing domains. Telegram, the company that hosts messaging accounts for fake job sites, did not respond to questions from The Daily Beast.

However, think tanks and news scam websites share at least some behavioral similarities with a previously documented phishing campaign conducted by an attack group linked to Iranian intelligence. act, according to cybersecurity experts.

Email link

The Daily Beast found scam domains and job sites after Lahav Harkov, Jerusalem Postdiplomatic correspondentt, warned Twitter users in December 2021 that a fake domain mimicking the Israeli newspaper’s website was sending emails in her name. The emails, shared by the reporter with The Daily Beast, use scrap English to reach Iran-focused academics and attempt to set up interviews with the fake Post reporter on topics like such “Gulf countries have a desire to normalize relations with Israel!”

By sifting through a list of sites using the same somewhat unique commercial website service template found on the fake Jerusalem Post site, The Daily Beast was able to find several similar-themed fakes.

Only two other sites share the same IP address as the fake site Jerusalem Post domain — a similar spoof of Khaleej . Times, a newspaper of the United Arab Emirates and an apparently fake login website for Google Drive.

Fake Jerusalem Postthe site’s email provider, the website’s domain registrar, and the name server provider — which is used to resolve site names to IP addresses — are all provided by popular commercial companies. Thousands of legitimate websites use the services of each of these companies, but a search of DomainTools’ IRIS cybersecurity database revealed only 68 sites currently using the same combination of the three companies’ services. that company.

Of that set of 68 websites, most are legitimate, but a few — all hosted by a Bulgarian web hosting company called Belcloud — are suspicious and potentially malicious — including fake sites for Middle East and news organizations, security-focused news organizations, and VIP Human Solutions job sites.

Belcloud did not respond to questions from The Daily Beast during publication.

Three of the fake think tank sites — spoofing Quincy, Gatestone, and Begin-Sadat hub — are hosted at the same IP address with slightly misspelled URLs or different top-level domains (eg. e.g. copy the name of the site on the .org .net domain instead).

Other apparent phishing domains, like the fake Business Insider domain created in July 2020, briefly shared the same IP address at Belcloud with the fake Quincy Institute domain.

The Daily Beast shared its research with cybersecurity firm Mandiant. In a statement, the company said it could not say who was behind the phishing websites but did note that some “activity reflects [tactics, techniques, and procedures] we are most closely associated with the threat agent UNC788,” a designation for a hacking operation is believed to be related with the Iranian Ministry of Intelligence and Security.

In 2020, cybersecurity researchers at CERTFA discovered an attempt according to what it concluded were hackers affiliated with the Ministry of Intelligence and Security, “targeting journalists, political and human rights activists” with a similar tactic to stage an interview sent by an impostor Post reporter, Harkov. CERTFA researchers found that hackers would use interviewing to build trust with a target before sending a fake Google login page to trick recipients into revealing their password.

Like the fake advisory agencies and news sites discovered by The Daily Beast, the sites CERTFA found in 2020 were also hosted at Belcloud. One of the phishing domains found on Belcloud by CERTFA and linked to Iranian intelligence — the fake Google Drive login site — was recently hosted at the same IP address as the fake domain Jerusalem Post and Khaleej . Times site — although The Daily Beast was unable to determine whether the site was still operated by the same owner who ran it as the researchers linked it to Iran.

While The Daily Beast and Mandiant were both unable to attribute the sites to any individual, group or country, Sabeti said he personally believes they are the work of “Charming Kitten,” the hacking group’s nickname. Iran-linked is known to target Western officials, journalists, dissidents, and human rights activists and believes areas show the group has “increased the reach of its targets.” and its activities in recent months”.

Head hunter?

The Human Solutions VIP site, although not hosted on Belcloud, uses the same type of consumer infrastructure choice as phishing domains. And since 2018, at least 16 similar job sites have used the same logos and touted language to try to recruit former spies and military personnel in Iran, Syria and Hezbollah for the purpose of becoming an Israeli “consulting” firm.

It’s not clear if all the websites are run by the same organization, but some of them share the same Google Analytics account (used to track web traffic) and some of them. web page that lists the same Israel-based Telegram accounts and phone numbers for subscribers to reach them.

The first iteration of the VIP Human Solutions branded site came out in 2018 and came with a linked Facebook page and YouTube account promoting high-paying “consulting” jobs to veterans. Iran’s intelligence, cyber security and cyber security. After The Daily Beast shared its findings with Facebook, the company removed the page pending identity verification but could not attribute it to any particular actor.

It is not clear what the purpose of these websites is, but intelligence experts suspect that Israel’s intelligence agencies have anything to do with them because of their widespread, undisciplined and amateurish pitch.

Douglas London, a 34-year veteran of the CIA’s secret service and the author of Recruiter, a recent memoir about his career in espionage and the Middle East, told The Daily Beast that it is unlikely the site was run by Israeli intelligence.

“On the surface, I doubt that this is the job of any sophisticated intelligence agency, let alone Israel. They don’t have to do this,” London said.

“In the age of the Internet, where you have LinkedIn or Indeed.com, any complex service has access to it, either directly or indirectly. A potential target might already have their background there, and intelligence services could use computers to sift through that information. “

London also pointed out that Israeli associations blatantly advertised on the pages contrary to public statements about how Israeli intelligence agencies often recruit spies in Arab countries and Iran.

“Israel tends to use a lot of false flag recruitment to disguise the fact that the targets are working for Israel. They pretend to be American, British or Canadian because Arabs and Iranians working for Americans are more appetizing.”

Sabeti, the director of CERTFA, said what was even more strange was that Iran did not block them. “Many Israeli websites are blocked in Iran, and it would be odd if a site trying to recruit spies from Iran is not.”

The Iranian authorities had plenty of time and opportunity to notice the websites and block them if they wanted to. Social media users in Iran have frequently posted about their embarrassment at Google Ads for websites, and Mashregh News, an Iranian news outlet close to the country’s military and intelligence facilities, has published published an article about them in December 2020, speculating that they were a Mossad trying to recruit Iranian spies on illegal gaming and gambling apps.

Whoever is behind the effort is thinly veiled, they are not talking. The Daily Beast has reached out to the sites through submission forms, WhatsApp and Telegram messages but has not received a response.