by Adam Rawnsley
The Daily Beast
The headhunters at VIP Human Solutions have a unique pitch for those working in sensitive security jobs in Hezbollah and the Assad regime: Come work for us in Israel.
Underneath a picture of the Israeli flag and a contact number with an Israeli country code, VIP Human Solutions’ website advertises itself as the “VIP center for recruitment of the most distinguished in the military and security services of Syria and Hezbollah in Lebanon” that “specializes in research and consultancies in the studies of security and political science in all corners of the world." For those with the right experience, Human Solutions’ headhunters promise fast hiring and big salaries.
VIP Human Solutions’ website is one of 16 such sites that use the same pitch, phrasing, logos, phone numbers, and, for some, web infrastructure over the past four years to lure former spies and soldiers in Iran, Syria, and Hezbollah to come work for Israel. Intelligence experts say the crude and clumsy sites are fakes, with no plausible connection to Israel’s spy services. But the bogus recruiters’ websites have nonetheless endured, surfacing and disappearing at a number of hosts over the same four-year period to pitch to internet users in Iran, Syria, and Lebanon through Google Ads.
The Daily Beast was unable to attribute the jobs sites to any particular actor or determine their true purpose. But at least one group of Iran-focused cybersecurity researchers say they suspect the intelligence jobs sites are part of a counterintelligence effort run by Iran-linked operators.
Amin Sabeti, a cybersecurity expert and the director of Computer Emergency Response Team in Farsi (CERTFA), believes the job sites are “a honey trap by the [Iranian] regime to identify the potential people interested in working with the foreign intelligence services.”
Nor have they gone unnoticed in Iran, where social media users have expressed their anger and confusion over being targeted for recruitment by Google Ads purporting to come from one of Tehran’s adversaries.
The Daily Beast found the sites as part of an investigation into a series of apparent phishing websites that spoofed think tanks and news organizations focused on the Middle East and national security. Those sites include domains meant to trick users into believing they were associated with think tanks like the Quincy Institute for Responsible Statecraft, Stimson Center, Gatestone Institute, and the Israel-based Begin-Sadat Center and news outlets like the Jerusalem Post, Business Insider, and the United Arab Emirates-based Khaleej Times.
Neither The Daily Beast, the cybersecurity firm Mandiant, nor Google or Facebook, where the sites had accounts, were able to identify who’s behind the phishing domains. Telegram, which hosted messaging accounts for the fake jobs sites, did not respond to questions from The Daily Beast.
But the think tank and news phishing sites share at least some behavioral similarities to a previously documented phishing campaign waged by an Iranian intelligence-linked hacking group, according to cybersecurity experts >>>
Comments