Security News

Iranian hackers host malicious ‘Hire Military Heroes’ site

Avast Security News Team, 27 September 2019

Plus, attackers target Tibetan leadership with spyware, a phishing scam snaps up your Instagram credentials, and YouTube is hit with a massive wave of account hijacks

A new website titled Hire Military Heroes pretends to help U.S. veterans find jobs, but cybersecurity researchers have discovered it to be a malicious site run by an Iranian nation-state hacking group. Dark Reading reports the group is called Tortoiseshell, while some experts believe they are actually the infamous Imperial Kitten hacking group. The phony site prompts visitors to download an app, which is actually a malicious downloader that plants malware in the user’s system. The malware then collects a wealth of information about the victim’s network, including hardware details, system configuration, and other admin data. It is unclear how the group is sourcing or luring its victims, but the backdoor created by the malware allows the group to spy on American military veterans while gathering personal information about them. Avast Security Evangelist Luis Corrons says these actions may lead to further data theft. “These are social engineering tactics targeting a specific social group, probably to gather certain information they need to perform further attacks.”

This week’s stat 

The FAA predicts there will be between 1.3 million and 1.7 million hobby drones in the U.S. by 2023. Read more on drones. 

Dalai Lama team targeted with spyware

Using WhatsApp, a hacker group targeted Tibetan leadership with messages falsely claiming to be from nonprofit activist groups like Amnesty International. The messages contained malicious links that if clicked would infect their devices with spyware. Business Insider reports that over the past two years Tibetan officials, including some who work for the Dalai Lama, received messages from hackers. Some of the attackers posed as activists – and in one instance a New York Times reporter – who wanted to share photo and video evidence of human rights violations in China. A link the attackers sent purported to lead to this evidence, but actually downloaded spyware on their iOS or Android devices. Fortunately, none of the intended targets were compromised by the scam as all their devices had already been updated with the latest security protections that detected and neutralized the spyware. “In some regions and situations where certain people are likely to be targeted, users have to be extra careful,” said Avast’s Corrons. “Never click on links or open files that come from people you do not trust. And even messages that appear to come from trusted people should be scrutinized. Make sure the sender  actually sent the message.” 

This week’s quote

“When you can fully recover a company’s IT infrastructure after a devastating fire, that says a lot about proactive service.” – Frank Zamarelli, Salem Computer Center, on helping a grain mill after a disaster. Read more on SMB cybersecurity.

Instagram users targeted with phony copyright notice

Researchers are warning Instagram users of a new phishing scam that falsely threatens account suspension due to copyright infringement. According to Bleeping Computer, users are presented with a fake, albeit official-looking, notice claiming that copyrighted material was found in their Instagram posts and that they have 24 hours to dispute the charge before their account is suspended. The fraudulent notice baits users to click a “Copyright Objection Form” button which directs them to the phishing landing page. There, they are prompted to enter their login credentials which are sent to the attackers. Experts warn that even savvy users may fall for the scam because the attackers took pains to make their message look legitimate, using official Instagram colors and font, an HTTPS certificate that provides the green padlock in the browser address bar, and a domain name that features the words “instagram” and “copyright infringement.” 

This week’s 'must-read' on The Avast Blog

Do you know what a botnet is? Can you define the word phishing? What is a banking Trojan? The terms are in the news. Master them with our vocabulary-building post. 

Multiple YouTube accounts hijacked and renamed

A ZDNet investigation uncovered a massive wave of YouTube account hijacks over the past week. Many of the targeted accounts were high-profile channels in the YouTube car community, but other categories were also hit. The attackers lured YouTube creators to phishing sites where their account credentials were harvested. Then they hacked into the accounts, assigning new owners and changing the channel’s vanity URL. This led YouTube creators to fear their channel had been deleted, while the attackers made off with their audience of subscribers. In some cases, the attackers bypassed two-factor authentication protocols, leading experts to suspect the attackers’ arsenal is equipped with a sophisticated toolkit. ZDNet believes the attackers will endeavor to sell the hijacked channels quickly before the subscribers catch on and unsubscribe, rendering the accounts worthless.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.