Microsoft took control of 99 websites belonging to an Iranian threat group called Phosphorus or APT 35, Charming Kitten, and Ajax Security Team.
The action, taken by Microsoft’s Digital Crimes Unit working in conjunction with law enforcement, shut down the sites so they can no longer conduct hacking operations to execute attacks. The court case against Phosphorus ended up filed in the U.S. District Court for Washington D.C., wich resulted in a court order to take over the domains.
Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013.
The goal behind Phosphorus is to gain access to the computer systems of businesses and government agencies and steal sensitive information. Its targets also include activists and journalists that focus on the Middle East.
Phosphorus typically attempts to compromise the personal accounts of individuals through spear-phishing, using social engineering to entice someone to click on a link, sometimes sent through fake social media accounts that appear to belong to friendly contacts. The link contains malicious software that enables Phosphorus to access computer systems.
“Phosphorus also sends out emails that make it seem as if there’s a security risk to a user’s account, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems,” said Tom Burt, Microsoft corporate vice president for customer security and trust, in a post.
“Both attack methods employ the use of websites that incorporate the names of well-known brands, like Microsoft, to appear authentic. Websites registered and used by Phosphorus include, for example, outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net,” he said.
By taking over the sites, Microsoft was able to redirect traffic from infected devices to the Digital Crime Unit’s sinkhole. The intelligence collected from this sinkhole will be added to MSTIC’s existing knowledge of Phosphorus and shared with Microsoft security products.