Two sentences summarizing: Check Point Research exposes an Iranian-backed spear-phishing operation targeting former Israeli officials and other high-ranking figures, leveraging a custom phishing infrastructure and inbox takeovers to steal credentials and identity documents. The operation centers on Litby.us, a fake URL shortener, and uses validation.com for identity-verification workflows, with notable cases involving Tzipi Livni and a former US ambassador. #PhosphorusAPT #Litby #Litbyus #TzipiLivni #USAmbassador #Yahoo #validation #de-ma.online #JISS
Keypoints
- The campaign is Iranian-backed and targets high-profile Israeli officials and think-tank figures, leveraging spear-phishing to gain inbox access.
- Attackers used a custom fake URL shortener, Litby[.]us, as a central piece of the phishing infrastructure to disguise links and route victims through multiple redirects.
- Inbox takeover and continuation of existing email conversations were employed to build trust and escalate the attack from familiar context.
- Identity deception extends to identity-verification services (validation.com) to facilitate credential or document theft.
- Case studies include attempts against Tzipi Livni and a former US ambassador/think-tank chair, with multiple days of contact and redirected flows.
- Phosphorus APT is linked to this activity, including references to the de-ma.online domain and related credential-harvesting activity.
- The overall operation illustrates a broader Iranian tactic of using social-engineering, compromised accounts, and illicit infrastructure to harvest PII and documents.
MITRE Techniques
- [T1566.002] Spearphishing Link – Attacker used Litby.us to disguise phishing links in targeted emails. “Litby[.]us, which from its name obviously tries to bear some resemblance to the widely used Bitly.com URL shortener – is at the center of these attacks.”
- [T1566.003] Spearphishing via Service – The phishing infrastructure relies on a service-like domain (Litby.us) to host and redirect phishing flows. “After noticing that Litby[.]us is suspicious, we pivoted on this domain … to find the various ‘shortened’ URL paths … Every such URL would redirect the victim to a different flow.”
- [T1036] Masquerading – Litby.us is described as a fake URL shortener designed to resemble legitimate services. “The attackers created a fake URL shortener service to facilitate their attacks. Litby[.]us, which from its name obviously tries to bear some resemblance to the widely used Bitly.com URL shortener – is at the center of these attacks.”
- [T1078] Valid Accounts – The operation included account takeover of victims’ inboxes and hijacking existing email conversations. “the attackers performed an account takeover of some victims’ inboxes, and then hijacked existing email conversations to start attacks from an already existing email conversation between a target and a trusted party.”
- [T1583] Acquire Infrastructure – The attackers built a phishing infrastructure around Litby.us and associated domains for credential harvesting and redirection. “Litby[.]us – fake URL shortener” (infrastructure creation described in the report).
Indicators of Compromise
- [Domain] litby.us – fake URL shortener infrastructure used for phishing
- [Domain] validation.com – identity verification service used to facilitate credential/document theft
- [Domain] de-ma.online – domain associated with Phosphorus for credential harvesting
- [URL] litby.us/Shagrir – a redirected shortened path within the Litby.us infrastructure
- [URL] litby.us/Ehuziel – another redirected path within the Litby.us flow