An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to findings from Access Now, Lookout, and SMEX.
Two of the targets included prominent Egyptian journalists and government critics, Mostafa Al-A’sar and Ahmed Eltantawy, who were at the receiving end of a series of spear-phishing attacks that sought to compromise their Apple and Google accounts in October 2023 and January 2024 by directing them to fake pages that tricked them into entering their credentials and two-factor authentication (2FA) codes.
“The attacks were carried out from 2023 to 2024, and both targets are prominent critics of the Egyptian government who have previously faced political imprisonment; one of them was previously targeted with spyware,” Access Now’s Digital Security Helpline said.
Also singled out as part of these efforts was an anonymous Lebanese journalist, who received phishing messages in May 2025 through the Apple Messages app and WhatsApp containing malicious links that, when clicked, tricked users into entering their account credentials as part of a supposed verification step from Apple.
“The phishing campaign included persistent attacks via iMessage/Apple Messenger and WhatsApp app, […] impersonating Apple Support,” SMEX, a digital rights non-profit in the West Asia and North Africa (WANA) region, said. “While the main focus of this campaign appears to be Apple services, evidence suggests that other messaging platforms, namely Telegram and Signal, were also targeted.”
In the case of Al-A’sar, the spear-phishing attack aimed at compromising his Google account began with a LinkedIn message from a sock puppet persona named “Haifa Kareem,” who approached him with a job opportunity. After the journalist shared their mobile number and email address with the LinkedIn user, he received an email from the latter on January 24, 2024, instructing him to join a Zoom call by clicking on a link shortened using Rebrandly.
The URL is assessed to be a consent-based phishing attack that leverages Google’s OAuth 2.0 to grant the attacker unauthorized access to the victim’s account through a malicious web application named “en-account.info.”
“Unlike the previous attack, where the attacker impersonated an Apple account login and used a fake domain, this attack employs OAuth consent to leverage legitimate Google assets to deceive targets into providing their credentials,” Access Now said.
“If the targeted user is not logged in to Google, they are prompted to enter their credentials (username and password). More commonly, if the user is already logged in, they are prompted to grant permission to an application that the attacker controls, using a third-party sign-in feature that is familiar to most Google users.”
Some of the domains used in these phishing attacks are listed…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
