The headhunters at VIP Human Solutions have a unique pitch for those working in sensitive security jobs in Hezbollah and the Assad regime: Come work for us in Israel.
Underneath a picture of the Israeli flag and a contact number with an Israeli country code, VIP Human Solutions’ website advertises itself as the “VIP center for recruitment of the most distinguished in the military and security services of Syria and Hezbollah in Lebanon” that “specializes in research and consultancies in the studies of security and political science in all corners of the world." For those with the right experience, Human Solutions’ headhunters promise fast hiring and big salaries.
VIP Human Solutions’ website is one of 16 such sites that use the same pitch, phrasing, logos, phone numbers, and, for some, web infrastructure over the past four years to lure former spies and soldiers in Iran, Syria, and Hezbollah to come work for Israel. Intelligence experts say the crude and clumsy sites are fakes, with no plausible connection to Israel’s spy services. But the bogus recruiters’ websites have nonetheless endured, surfacing and disappearing at a number of hosts over the same four-year period to pitch to internet users in Iran, Syria, and Lebanon through Google Ads.
ADVERTISEMENT
The Daily Beast was unable to attribute the jobs sites to any particular actor or determine their true purpose. But at least one group of Iran-focused cybersecurity researchers say they suspect the intelligence jobs sites are part of a counterintelligence effort run by Iran-linked operators.
Amin Sabeti, a cybersecurity expert and the director of Computer Emergency Response Team in Farsi (CERTFA), believes the job sites are “a honey trap by the [Iranian] regime to identify the potential people interested in working with the foreign intelligence services.”
Nor have they gone unnoticed in Iran, where social media users have expressed their anger and confusion over being targeted for recruitment by Google Ads purporting to come from one of Tehran’s adversaries.
The Daily Beast found the sites as part of an investigation into a series of apparent phishing websites that spoofed think tanks and news organizations focused on the Middle East and national security. Those sites include domains meant to trick users into believing they were associated with think tanks like the Quincy Institute for Responsible Statecraft, Stimson Center, Gatestone Institute, and the Israel-based Begin-Sadat Center and news outlets like the Jerusalem Post, Business Insider, and the United Arab Emirates-based Khaleej Times.
Neither The Daily Beast, the cybersecurity firm Mandiant, nor Google or Facebook, where the sites had accounts, were able to identify who’s behind the phishing domains. Telegram, which hosted messaging accounts for the fake jobs sites, did not respond to questions from The Daily Beast.
But the think tank and news phishing sites share at least some behavioral similarities to a previously documented phishing campaign waged by an Iranian intelligence-linked hacking group, according to cybersecurity experts.
Email trail
The Daily Beast found the phishing domains and job sites after Lahav Harkov, the Jerusalem Post’s diplomatic correspondent, warned Twitter users in December 2021 that a fake domain imitating the Israeli newspaper’s website was sending out emails in her name. The emails, shared with The Daily Beast by the reporter, used clunky English to reach out to Iran-focused academics and tried to set up interviews with the fake Post reporter on topics like “Gulf countries have a desire to normalize relations with Israel!”
By sifting through a list of websites that used the same somewhat unique pattern of commercial website services found on the fake Jerusalem Post site, The Daily Beast was able to find a number of similarly themed spoofs.
Only two other websites shared the same IP address as the fake Jerusalem Post domain—a similar spoof of Khaleej Times, a UAE newspaper, and an apparent fake login site for Google Drive.
The fake Jerusalem Post’s email provider, the company which registered the site’s domain name, and the provider of its name server—used to resolve the site’s name to an IP address—were all popular commercial companies. Thousands of legitimate websites use each of these companies’ services but a search of DomainTools’ IRIS cybersecurity database showed that only 68 websites currently use the same combination of those three companies’ services.
Within that set of 68 sites, the vast majority are legitimate, but a handful—all hosted by a Bulgarian web hosting firm named Belcloud—are suspicious and potentially malicious—including fake websites for Middle East and security-focused think tanks, news organizations, and the VIP Human Solutions job site.
Belcloud did not respond to questions from The Daily Beast in time for publication.
Three of the fake think tank websites—spoofing Quincy, Gatestone, and the Begin-Sadat center—are hosted at the same IP address with slightly misspelled URLs or differing top level domains (for example, copying a site’s name on the .net domain instead of .org).
Other apparent phishing domains, like a fake Business Insider domain created in July 2020, briefly shared the same IP address at Belcloud with the phony Quincy Institute domain.
The Daily Beast shared its research with the cybersecurity firm Mandiant. In a statement, the company said it couldn’t say who’s behind the phishing websites but did note that some of the “activity reflects [tactics, techniques, and procedures] we most closely associated with the threat actor UNC788,” a designation for a hacking activity believed to be associated with Iran’s Ministry of Intelligence and Security.
In 2020, cybersecurity researchers at CERTFA uncovered an attempt by what it concluded were hackers linked to the Ministry of Intelligence and Security which “targeted journalists, political and human rights activists” with a similar pitch to set up an interview sent by the fake Post reporter, Harkov. CERTFA researchers found that the hackers would use the interview pitch to build trust with a target before sending a fake Google login page meant to trick recipients into revealing their passwords.
Like the fake think tank and news sites uncovered by The Daily Beast, the sites CERTFA found in 2020 were also hosted at Belcloud. One of the phishing domains found by CERTFA on Belcloud and linked to Iranian intelligence—a fake Google Drive login site—was recently hosted at the same IP address as the fake Jerusalem Post and Khaleej Times sites—although The Daily Beast could not determine whether the site is still operated by the same owners who ran it when researchers linked it to Iran.
While neither The Daily Beast nor Mandiant could attribute the sites to any individual, group, or country, Sabeti says he’s personally convinced that it’s the work of “Charming Kitten,” the nickname for the Iran-linked hacking group known to target Western officials, journalists, dissidents, and human rights activists and believes the domains show the group has “increased the scope of its target and operations in recent months.”
Headhunters?
The VIP Human Solutions site, while not hosted on Belcloud, uses the same pattern of infrastructure consumer choice as the phishing domains. And since 2018, at least 16 remarkably similar jobs websites have used the same logo and pitch language to try and recruit former spies and military personnel in Iran, Syria, and Hezbollah for what purports to be an Israeli “consulting” firm.
It’s unclear if all of the sites are operated by the same entity but a number of them share the same Google Analytics account (used to monitor web traffic) and some of the sites list the same Israel-based phone number and Telegram accounts for applicants to reach them.
The earliest iteration of a VIP Human Solutions-branded website appeared in 2018 and came with an associated Facebook page and YouTube account advertising the high-paying “consulting” jobs to former Iranian intelligence, security, and cybersecurity veterans. After The Daily Beast shared its finding with Facebook, the company removed the page pending identity verification but could not attribute it to any particular actor.
It’s not clear what the purpose of the websites are but intelligence experts are skeptical that Israel’s intelligence services have anything to do with them given their broad, indiscreet, and amateurish pitches.
Douglas London, a 34-year veteran of the CIA’s clandestine service and author of The Recruiter, a recent memoir about his career in espionage and the Middle East, told The Daily Beast that it’s unlikely the site is run by Israeli intelligence.
“On the surface, I’m doubtful that this is the work of any sophisticated intelligence service, let alone Israel. They don’t have to do this,” London said.
“In the internet era, where you have LinkedIn or Indeed.com, any sophisticated service has access to that, whether directly or indirectly. A potential target probably already has their resume out there and intelligence services can use computers to sift through that.”
London also pointed out that the blatant Israeli associations advertised on the sites contrast with the public reporting on how Israeli intelligence services often recruit agents in Arab countries and Iran.
“Israel tends to use a lot of false flag recruitment operations that disguises the fact that targets are working for Israel. They pretend to be American, British, or Canadians because it’s more palatable for Arabs and Iranians to work for Americans.”
What’s even more odd about the sites is that Iran doesn’t block them, says Sabeti, the director of CERTFA. “Many Israeli websites are blocked in Iran, and it would be odd that a website that tries to recruit agents from Iran is not.”
Iranian authorities have had ample time and opportunity to notice the sites and block them if they wished. Social media users in Iran have frequently posted about their confusion when encountering Google Ads for the sites and Mashregh News, an Iranian news outlet close to the country’s intelligence and military establishment, published an article about them in December 2020, which speculated that they were a Mossad attempt to recruit Iranian spies on illicit gambling and game apps.
Whoever is behind the thinly veiled attempt, they’re not talking. The Daily Beast reached out to the sites through submission forms, WhatsApp, and Telegram messages but received no response.