You’ve Got Fake Mail: Pro-Palestinian Hackers Behind Massive Phishing Campaign Targeting Israelis Expecting Packages

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Israelis wait in line at the post office in Ramat Gan, during a coronavirus lockdown, in 2020.
Israelis wait in line at the post office in Ramat Gan, during a coronavirus lockdown, in 2020. Credit: Eyal Toueg

Over the summer, hundreds of thousands of Israelis received the same text message: “Your package is awaiting delivery, we have to confirm payment in order to process your request.” The sender of the SMS appeared to be “Israel Post.” But in fact there was no package waiting to be picked up – the message, and the link it included, were part of a sprawling cybercrime campaign targeting Israelis, cybersecurity researchers revealed Tuesday.

According to Israeli cybersecurity firm Security Joes, the campaign, which targeted Israelis, was led by pro-Palestinian hackers based in Gaza and Britain. Its goal was to dupe Israelis into providing their credit card details, thus giving the hackers access to their finances. It is an example of phishing, in which attackers mislead unwitting users into providing personal information by presenting themselves as trusted sources.

However, despite the campaign’s criminal intentions, cybersecurity experts say the operation also had political motives. “These individuals are pro-Palestinians who have political reasons to target Israeli citizens, alongside their financial theft modus operandi,” the firm said in its report.

The findings were initially made by Webint Master, an Israeli cyber and business intelligence firm. Security Joes’ research confirmed their findings, published in Hebrew last week.

The post office offensive took place in June, and may still be ongoing. It joins a string of politically motivated cybercrime attacks against Israeli targets that began after the spread of the coronavirus. The pandemic has proven a boon for cybercriminals around the world, who have taken advantage of the shift to remote working and boom in e-commerce to target naive netizens.

This has been especially true in Israel over the past 18 months. So-called hacktivists – politically motivated hackers – as well as official state cyberoperatives from places like Iran have embraced criminal practices to conceal their espionage or offensive purposes.

One example was the very public and protracted attack last December against a prominent Israeli insurance firm, Shirbit, whose clients include many government organizations. Despite the large ransom the hackers demanded for the data they stole, the attack was said to be a politically motivated, criminal act conducted by a group of Iranian hackers. The financial motive merely played a secondary role.

Security Joes CEO Ido Naor said of the current campaign: “It’s smart to target residents during COVID-19 by impersonating the Israeli Post Office. Residents of Israel are at home, ordering anything from food to furniture,” and are much more exposed.

The attack was a relatively complex operation. The SMS message that victims received came from a sender named “ISRAELPOST.” This is the same sender name that appears when people receive actual messages from the genuine post office; if the recipient had ever received a message from the real post office, it would appear in the same thread as the fake message sent out by the hackers. This is possibly due to a relatively simple hack of the Sender ID system, which can allow people to send messages under many different names, and even from different numbers.

According to the researchers, though many thousands received the nefarious message, some of those targeted were actually awaiting a package and were expecting a message from the post office. According to Security Joes, this raises suspicions that the hackers had access to the post office’s databases and selected some of their targets in advance.

This indicates a high level of sophistication; the post office is an official state body and should, in theory, be well protected against such actions.

A screen capture of an SMS message sent out by the hackers pretending to be the Israel Post. The link leads to a fake website.Credit: Security Joes

“That said,” Naor continued, “the attackers did leave fingerprints that led back to their personal information and social accounts.”

For example, the link provided in the message – the one that led victims to a fake payment website where they were supposed to provide their details – was registered under a fake name that led investors to the suspected culprits. The phone number given for that alias was real, and through some open-source investigative digging, the researchers managed to uncover two real, Arabic names.

The phone numbers were Palestinian, and the cyberexperts even found the two suspected attackers’ Facebook accounts, identifying them as a woman based in the Gaza city of Rafah and a man based in London.

“We strongly believe that the individuals mentioned in the report are the ones behind the phishing campaign,” Naor said. No smoking gun was found, and there were no clear ties between the two individuals and any known hacking or Palestinian political groups. Still, Naor is confident in the company's findings.

The website set up for the purpose of the attack also linked back to the two, and bits of Arabic were found in the code created by the hackers, which also revealed a Palestinian IP address.

In response to the report, Israel’s cyber authority said: “We have long warned against such phishing attacks.” It added that other phishing campaigns using a similar method have taken place, with hackers masquerading as other delivery services, and that it is in touch with firms affected by such attacks.

In a post published on its official Facebook page on Monday, the cyber authority warned the public about the threat, and urged anyone who was targeted by it to contact them.

The report was also given to the anti-fraud unit at the Israel Police. In response, the police said they “had long warned and acted diligently against online fraud, and we are now increasing enforcement and awareness efforts regarding the risks of phishing attacks.”

Click the alert icon to follow topics:

Comments