What is Persian Stalker?

Persian Stalker is targeting Iranian social media accounts.

The “group” has been around since 2017, and they have been observed targeting social media accounts.  Specifically, this group focuses on gaining access and control of Instagram and Telegram accounts.

Telegram is a popular service with about 40 million users.  Telegram is a communication app that has been used to organize protesters in Iran.  Of course, the Iranian government is not a fan of this service.  The Iranian government has actively requested that certain services and channels be shut down.  As far as we know, the Iranian government has not engaged in blocking the service in Iran.

Persian Stalker uses several techniques to gain access to user’s accounts.  They have created false login pages for miss-typed domain names.  If you accidentally misspell the website, the malicious website will appear that looks exactly like the real thing.  When the user logs in the login data are captured, and the user is presented with an error message.  Of course, the 2nd login will work correctly, so the user never finds out that their login information was compromised.

Another technique that Persian Stalker uses is BGP hijacking.  BGP stands for Border Gateway Protocol.  BGP is the routing protocol that is used in the internet backbone.  BGP is also gaining popularity as the protocol used in some wide area networks.  BGP hijacking is accomplished when the routing tables are corrupted so that the attacker can maliciously reroute internet traffic.  In the case of Persian Stalker, the BGP hijacking is used to capture the user’s credentials.

In summary, Persian Stalker is a malicious team who is stealing social media account usernames and passwords.  They are primarily targeting Iranian users, but this target may expand to other areas of the world.  This group uses the stolen information for malicious purposes.  There is no evidence that this group has any political agenda.