Adrian Johnson
TLDR:
Facebook’s security teams blocked WhatsApp accounts posing as tech companies’ support agents after investigating user reports, linking the activity to Iranian threat actor APT42. The accounts targeted individuals in Israel, Palestine, Iran, the US, and the UK, focusing on political and diplomatic officials. APT42 has previously targeted individuals in the Middle East and politicians worldwide. Facebook took down the malicious accounts and encouraged users to stay vigilant and report suspicious activity.
Article:
Facebook’s security teams recently blocked a small cluster of WhatsApp accounts posing as tech companies’ support agents after investigating user reports. The malicious activity, which originated in Iran, attempted to target individuals in Israel, Palestine, Iran, the US, and the UK, focusing on political and diplomatic officials and other public figures, including some associated with the administrations of President Biden and former President Trump. The investigation linked the activity to APT42 (also known as UNC788 and Mint Sandstorm), an Iranian threat actor known for its persistent phishing campaigns across the internet. APT42 has previously targeted people in the Middle East, including Saudi military, dissidents, human rights activists from Israel and Iran, as well as politicians in the US and Iran-focused academics, activists, and journalists around the world.
The suspicious WhatsApp accounts posed as technical support for AOL, Google, Yahoo, and Microsoft. Some of the targeted individuals reported these messages to WhatsApp using the app’s built-in reporting tools, enabling the company to investigate the campaign and link it to APT42. Facebook has not seen evidence that the targeted WhatsApp accounts were compromised, but it has encouraged those who reported the suspicious activity to take steps to ensure their online accounts are safe. As a precautionary measure, given the heightened threat environment ahead of the US election, Facebook has shared information about this malicious activity with law enforcement and presidential campaigns.
Facebook continues to monitor information from industry peers, internal investigations, and user reports, promising to take action if further attempts by malicious actors to target people on their apps are detected. The company strongly encourages public figures, journalists, political candidates, and campaigns to remain vigilant, take advantage of privacy and security settings, avoid engaging with messages from unknown individuals, and report suspicious activity. When disrupting these operations, Facebook takes down the malicious accounts, blocks their domains from being shared on the platform, and notifies people believed to have been targeted by these groups.
