Iranian cybercriminals have impersonated a German modeling agency in an effort to illegally harvest user data from a spoofed website. Cybersecurity analysts from Palo Alto Networks warn that such campaigns, orchestrated by state-sponsored actors, are likely to intensify amid ongoing geopolitical instability in Central and Eastern Europe.
During the monitoring of a network infrastructure suspected to be linked to Iranian threat actors, experts from Palo Alto Networks’ Unit 42 discovered a fake website designed to mimic the Hamburg-based Mega Model Agency. The malicious site perfectly replicated the branding, layout, and content of the real agency’s website. However, it contained an encrypted script engineered to collect detailed information about site visitors and lure users into interacting with fabricated model profiles.
The counterfeit website displayed hallmarks of social engineering tactics commonly used by well-known Iranian hacker groups. Of particular concern, the researchers warn that the site may be connected to the Agent Serpens group—infamous for conducting cyberespionage operations against Iranian dissidents, journalists, and activists abroad, especially in countries like Germany.
“We have not yet observed direct victim interaction on the spoofed site. However, this incident clearly demonstrates that cybercriminals are deploying an almost unlimited array of social engineering methods to achieve their objectives,” said Wojciech Gołębiowski, Vice President and Managing Director of Palo Alto Networks for Central and Eastern Europe. “While financial gain remains the main motive for most cybercriminal organizations, geopolitical factors are increasingly driving attacks. In this case, individuals and organizations linked to Iranian activist communities should be extremely cautious when approached by strangers. The German incident should also raise the alert level in countries like Poland, as cyber groups linked to hostile intelligence services operate globally. High-value targets include public sector entities and critical infrastructure.”
One of the fake model profiles featured a link to a “private photo album”—though the URL is currently inactive. Still, Unit 42 specialists believe the link may have been created for targeted social engineering attacks. The fabricated album could serve as a lure to collect login credentials or distribute malware. The combination of this feature with the possibility of future malware deployment indicates that this operation may pose a threat not only now but also in the longer term.
This campaign reflects a broader escalation in the activity of Iran’s cyber intelligence apparatus, with tactics evolving to include more sophisticated impersonation and data-gathering strategies.
Source: Manager+
