Facebook’s security teams recently blocked a small cluster of WhatsApp accounts posing as tech companies’ support agents after investigating user reports.
The malicious activity, which originated in Iran, attempted to target individuals in Israel, Palestine, Iran, the United States, and the UK, focusing on political and diplomatic officials and other public figures, including some associated with the administrations of President Biden and former President Trump.
The investigation linked the activity to APT42 (also known as UNC788 and Mint Sandstorm), an Iranian threat actor known for its persistent phishing campaigns across the internet.
APT42 has previously targeted people in the Middle East, including Saudi military, dissidents, and human rights activists from Israel and Iran, as well as politicians in the US and Iran-focused academics, activists, and journalists around the world.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
Accounts Posed as Technical Support for Major Tech Companies
The suspicious WhatsApp accounts posed as technical support for AOL, Google, Yahoo, and Microsoft. Some of the targeted individuals reported these messages to WhatsApp using the app’s built-in reporting tools, enabling the company to investigate the campaign and link it to APT42.
Facebook has not seen evidence that the targeted WhatsApp accounts were compromised, but it has encouraged those who reported the suspicious activity to take steps to ensure their online accounts are safe.
As a precautionary measure, given the heightened threat environment ahead of the US election, Facebook has shared information about this malicious activity with law enforcement and presidential campaigns.
Facebook continues to monitor information from industry peers, internal investigations, and user reports, promising to take action if further attempts by malicious actors to target people on their apps are detected.
The company strongly encourages public figures, journalists, political candidates, and campaigns to remain vigilant, take advantage of privacy and security settings, avoid engaging with messages from unknown individuals, and report suspicious activity.
Cyber espionage actors typically target people across the internet to collect intelligence, manipulate them into revealing information, and compromise their devices and accounts.
When disrupting these operations, Facebook takes down the malicious accounts, blocks their domains from being shared on the platform, and notifies people believed to have been targeted by these groups.
Boost Your Career in Cyber Security! Learn 100+ Premium Cybersecurity Courses With Lifetime Access -> Enroll Now