Share this page!

Adam Rawnsley Profile picture
Twitter logo
Jan 24 23 tweets 7 min read
My latest: Someone has spent the past four years creating fake Mossad recruiting websites and buying Google Ads to target them at intelligence and military veterans from Iran, the Assad regime, and Hezbollah. thedailybeast.com/shady-network-…
We found the sites while looking into a series of phishing domains that spoofed legitimate news organizations like Business Insider, Jerusalem Post, and the UAE-based Khaleej Times along with think tanks like the Quincy Institute, Stimson Center, Begin-Sadat Center, & Gatestone
Bit of a thread here. Meet "VIP Human Solutions," which pretends to be an Israel-based "consulting" firm interested in hiring intelligence & security veterans of the Assad regime & Hezbollah. They claim to offer big salaries & fast hiring for folks with the right experience.
It's one of at least 16 sites spanning a four year period that use the same phrasing, logo, and at times, the same Google Analytics account and Israeli phone numbers and Telegram accounts to accept resumes and place google ads to Internet users in Iran/Syria/Lebanon
This is pretty obviously not how the Mossad does business and intelligence experts tell us it's extremely unlikely these sites are operated by Israel. The Daily Beast, Mandiant, Facebook, and Google (where the sites had accounts) couldn't identify who's behind the sites.
But @AminSabeti, a cybersecurity researcher at CERTFA, suspects that the sites are part of an Iranian counterintelligence effort—“a honey trap by the [Iranian] regime to identify the potential people interested in working with the foreign intelligence services.”
The weird thing about these sites is that they're not blocked in Iran despite Iran being very block-happy on Israeli websites and having had multiple opportunities to be aware of them. Mashregh, a news outlet close to Iranian security services, covered one mashreghnews.ir/news/1153970/%…
Mashregh speculated that the sites were being targeted at users of illicit gambling and gaming websites in Iran. And Iranian social media users have posted screenshots reacting with confusion/anger/bemusement when being targeted with the ads.
At least one Twitter user claimed to encounter an ad for one of these sites from a third party ad service running on the New York Times website
I spoke to Douglas London, a 34-year veteran of the CIA and the recent author of a memoir of his service, "The Recruiter," who said the crude and clumsy methods make it deeply unlikely this is run by Israel's intelligence services
Here's some IOC for you:

vipjobsglobal[.]com
topiranjobs[.]me
salamjobs[.]me
damkahill[.]com
azadijobs[.]me
bilal1com[.]com
jomehjob[.]com
radabala[.]com
dream-jobs[.]org
dream-jobs[.]vip
trnjobs[.]me
wazayif-halima[.]org
wazayif-halima[.]com
damavand-hr[.]me
golanjobs[.]me
What's interesting is how we came across these fake jobs. It started with a single tweet from a Jerusalem Post reporter warning people that someone had set up a fake Post domain and was impersonating her via email through the domain.
The Daily Beast is lucky enough to have a DomainTools account. Folks very quickly realized after the tweet that there was another spoofed news org hosted at the same IP address, one of only 3 domains there.
And there the trail ended. Or did it? I noticed that the fake Jerusalem Post domain and the fake Khaleej Times domain used a broadly commercial registrar (NameSilo), mail provider (Zoho), and name server (cloudns). Thousands upon thousands of legit sites use these services.
But if you run a query in DomainTools IRIS to find all current websites who use the three companies for those three services, you get only 68 website—a much smaller haystack to sift through. Among those 68 sites matching the pattern was one of the VIP Human Solutions domains.
Most of those 68 sites were boring, legit sites. But a handful of them—all hosted at an obscure Bulgarian host, Belcloud, looked a lot like phishing domains meant to spoof Middle East and security-focused think tanks along with Google login pages.
This cluster of Belcloud sites tried to spoof:
•Quincy Institute
•Begin-Sadat Center
•Stimson Center
•Gatestone Institute
•Galil Engineering (an Israeli engineering firm)
•Lots of Google-ish logins
@AminSabeti at CERTFA also found linked infrastructure with the same host/pattern with a spoof of Business Insider
@AminSabeti Interesting bit: there's some limited overlap between the domains and tactics we found and a previously reported phishing activity attributed to Charming Kitten, an Iranian intelligence linked hacking group. blog.certfa.com/posts/fake-int…
Like the fake emails sent out in the Lahav's name from the fake Jerusalem Post domain, this 2020 operation tried to set up interviews via fake reporters/think tanks. reuters.com/article/us-ira…
One of the domain names in that reported/activity activity set—most of which were hosted at the same Bulgarian hosting company—moved from Belcloud and was hosted at the same IP address as the fake Jerusalem Post/Khaleej Times domain. It's far from attribution but it is curious
One last bit on the fake Mossad jobs sites. I reached out to one of the Telegram accounts, which showed as recently active, and sent them a resume. No response or job offer :/
Interesting coda

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Adam Rawnsley

Adam Rawnsley Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @arawnsley

Adam Rawnsley Profile picture
Jan 23
You can get a whole ass PhD and teach at NYU and still believe Germany killed no Ukrainians in WWII. Amazing
The smoothest of brains.
“Germany abetting the wholesale slaughter of Ukrainians is a welcome break with its ugly past” sure is a fake and a half
Read 4 tweets
Adam Rawnsley Profile picture
Oct 29, 2021
Welp. Treasury added one of the Iranian drone industry guys I've been following to its SDN list. Probably should've dumped my notebook on that beforehand. Been following Yousef Aboutalebi for a while. You're gonna wanna hit mute because this could go long home.treasury.gov/policy-issues/…
Treasury sanctioned the head of the IRGC drone unit who was responsible for the delta wing drone attack on the Mercer Street ship in the Gulf a few months ago. But they also hit my dude Yousef Aboutaleni, the CEO of Mado, the company that powered Iran's drones (they make engines)
Here's Yousef in happier times at the Damascus Air Show showing off Mado's collection of engines Image
Read 22 tweets
Adam Rawnsley Profile picture
Oct 24, 2021
So here’s a weird one for you, courtesy of @CalibreObscura & @Alsakaniali almasdaronline.com/articles/239284
Missile fragments from Yemen. At first blush it looks like the tail end of our new friend the Franken-drone-missile, Mr. 358, who comes from Iran.
But looks like a GPS puck way back here on its butt. And I had been led to believe otherwise
Read 6 tweets
Adam Rawnsley Profile picture
Oct 21, 2021
Missile found near Tuz Khurmatu Air Base in Iraq is a pristine Iranian 358, the hybrid surface-to-air munition/drone first ID'ed by Centcom from a seizure in Yemen. ImageImage
Compare & contrast with the imagery in UN POE report & Centcom slides undocs.org/en/S/2021/79 centcom.mil/Portals/6/Docu… ImageImage
In Yemen we've seen this launched at U.S. drones. Per NYT, those infrared lenses on the side are designed as to defeat infrared countermeasures on helicopters. So yeah, sure looks like someone tried to take down a helicopter or drone or (insert here) last night.
Read 5 tweets
Adam Rawnsley Profile picture
May 11, 2021
Our good friend Mohajer-4 A041-65 does not appear to have seen much action outside of the occasional expo appearance over the last eight years. 2013 vs 2021. Few scratches but still good enough for dog and pony shows. ImageImage
Same cannot be said for A041-65's buddy, A041-66. A041-66 had a very Forrest Gump like existence.
See, A041-66 was seen at that same 2013 delivery ceremony for the Yasir drone. Only unlike his number neighbor, 66 was in a bucket of parts and not fully assembled like 65. Image
Read 13 tweets
Adam Rawnsley Profile picture
Apr 19, 2021
Watching the 60 Minutes segment on the Oath Keepers and it occurs to me that, while we have breakdowns of Jan 6 rioters veteran status and patchy numbers on service background, we don’t know a lot about MOS. Specifically infantry vs not infantry.
Lots of references to why the Oath Keepers and other militia recruit veterans for tactical experience but it’d be nice to know if that’s actually born out by the data instead of just assumed.
“Are these people falling back on and passing along firsthand combat experience or are they trying to get it” seems like an important question from a recruitment & radicalization POV.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @arawnsley has new unrolls!

Check out other threads from @arawnsley!

Read all threads by @arawnsley

:(