A recent phishing campaign has targeted high-profile users of Gmail and WhatsApp in the Middle East, particularly those involved in Iranian-related activities. U.K.-based Iranian activist Nariman Gharib shared redacted screenshots of a phishing link he received via WhatsApp, warning others to avoid suspicious links. The campaign coincides with Iran's longest internet shutdown amid ongoing protests, raising concerns about the motivations behind the attacks. The source code from the phishing site revealed intentions to steal credentials and conduct surveillance on victims, though it's unclear if the attackers are government agents or cybercriminals. TechCrunch analyzed the phishing link, which utilized a dynamic DNS provider, DuckDNS, to mask its true origin. The actual phishing page was hosted on a newly registered domain, alex-fabow.online, and linked to other domains targeting virtual meeting platforms. The phishing page tricked victims into entering their Gmail credentials or phone numbers. TechCrunch discovered a flaw that exposed records of over 850 victims, detailing their usernames, passwords, and two-factor authentication codes, effectively functioning as a keylogger. The phishing campaign also aimed to hijack victims' WhatsApp accounts and extract sensitive data from their devices. Gharib's experience demonstrated how the phishing link directed him to a fake WhatsApp page with a QR code, designed to link his account to an attacker's device. The site requested permission to access location data, photos, and audio, which could be continuously transmitted back to the attackers. While the exact identity of the attackers remains unknown, the campaign has affected a small but notable group of individuals, including academics, government officials, and business leaders from the Iranian diaspora.