Microsoft seizes Iranian hackers' spear-phishing domains

Microsoft's Digital Crime Unit has obtained a court order allowing it to take control over 99 domains used by the Iran-connected Advanced Persistent Threat (APT) 35 hacking group, also known as Phosphorous, which used these to set up sites for phishing attacks against activists and journalists.

Tom Burt, Microsoft's head of customer security and trust, said a United States district court had granted the company the right to take control of the phishing sites used by Phosphorous.

Its Digital Crimes Unit is now able to redirect traffic from infected devices to the 99 domains to a sinkhole, allowing it to analyse the incoming data and share the threat intelligence, Burt said.

The domain names registered by Phosphorous, also known as Charming Kitten and Ajax Security Team, mimic Microsoft and other well-known brands to appear authentic.

Outlook-verify.net, yahoo-verify.net, verification-live.com and myaccount-services.net are some of the Phosphorous phishing domains that a Washington district court ordered registries such as Verisign, Afilias and Neustar to hand over control of to Microsoft.

Phosphorous has been tracked by Microsoft's DCU and Threat Intelligence Centre since 2013 and uses spear phishing to compromise individuals' personal accounts.

Social engineering techniques that involve using fake social media accounts are used by Phosphorous to trick people into clicking on links causing malware to be downloaded onto their computers.

The hacking group also sends out emails to victims, warning of a purported security issue affecting their accounts.

Victims are asked to enter their account credentials into a web form, which allows Phosphorous to capture usernames and login passwords.

The DCU has used the domain takeover approach 15 times in the past, Burt said.

Prior to Phosphorous, Microsoft disrupted the APT 28 group linked to Russia in a similar fashion last year.