Tuesday, February 14, 2017

"This Cunning, Months-in-the-Making Phishing Campaign Targeted Dozens of Journalists, Activists"

From Motherboard:

In a new report, Amnesty International details a prolonged phishing campaign against journalists, activists and campaigners who work with Qatari labor rights issues.

Safeena Mailk is not a real person. Despite having a Twitter feed created in December 2014, a fully fleshed-out LinkedIn with over five hundred connections, and a Facebook account where she reposts innocent viral videos, this supposed UK university graduate is an elaborate ploy in a large scale hacking operation, according to a new report from Amnesty International.

Throughout 2016, those behind the Malik identity have tried, and in some cases succeeded, to break into the Gmail accounts of journalists, labor rights activists and human rights defenders, particularly those with a focus on Qatar. But the attention to detail, the persistence, and the long-game approach of these hackers stands heads and shoulders above other phishing campaigns.

"In this case, the attackers have literally engaged with targets for months
and attempted multiple times with different tactics and baits," Claudio Guarnieri, a technologist at Amnesty International, told Motherboard in an online chat.

"I am doing research about human trafficking. Can you help in this. I want to share my research with you. Can you guide me in this?" one of Malik's emails, sent to a target on August 29, 2016, reads. The message doesn't ask targets to download a file, but to take a look at a document stored on Google Drive. When clicked, the victim is directed to a login screen that looks identical to Gmail's legitimate one, and which has even been pre-configured to display the specific target's profile photo.

It is not clear who was behind these attacks, however. Because the hackers focused on activists working on issues in Qatar, Amnesty believes the campaign may have been carried out by a state-sponsored actor. The hackers logged into some of the stolen accounts from an IP address related to Ooredoo, an internet service provider with headquarters in Doha, Qatar, the report adds. The Qatari government denied any involvement in the phony Google pages, according to a statement given to Amnesty.

Regardless, the URL of the phishing page includes words like "rqeuset, "hanguot," and "g-puls," terms that if glanced quickly on by a non-native speaker may not raise any alarm bells, and possibly give a sense that this page is genuinely from Google.

After entering their email address and password, the victim is sent to a real Google Drive document. But, the hackers now have the target's login details, and potentially access to their email account. In other instances, the phishing page might be for a Google Hangout, and will land on Malik's Google+ profile. But each piece of bait is specially tailored for its target, Guarnieri told Motherboard....MORE