In the last few months, a number of Egyptian civil society organizations, lawyers, journalists, and independent activists have been targeted with personalized and generic emails aimed at revealing their Gmail or Dropbox credentials to the attackers.
The targets believe that the attacks are sponsored by the Egyptian government, which has been cracking down on dissenters and activists for a few years now. They might be right, as some of the phishing pages created by the attackers do contain comments in a form of Arabic slang used in Egypt.
A report compiled by researchers from Citizen Lab and a technologist from the Egyptian Initiative for Personal Rights reveals some examples of the phishing emails used, as well as details about the campaign that was mounted.
The researchers discovered that the campaign was effected in two stages, each with distinct phishing tactics and domains.
In the first stage, the emails were extremely personalized and some leveraged very recent events. In one particular instance, emails supposedly containing documents regarding the arrest of a lawyer that happened mere hours before were delivered to a number of targets, indicating that the attackers had insider knowledge about the arrest, and have therefore ties to the Egyptian state.
In the second phase, the emails were more “generic,” mostly impersonating Google (i.e. Gmail) and emphasizing account security issues.
The researchers discovered that the Nile Phish attackers (as the’ve dubbed them) used open-source phishing framework GoPhish to mount the campaign. Also, they’ve managed to tie the two phases back to the same actors because of a technical error that allowed them to link the different server infrastructures used in the two stages.
“Nile Phish’s sponsor clearly has a strong interest in the activities of Egyptian NGOs, specifically those charged by the Egyptian government in Case 173 [a legal case brought by the Egyptian government against NGOs]. The Nile Phish operator shows intimate familiarity with the targeted NGOs activities, the concerns of their staff, and an ability to quickly phish on the heels of action by the Egyptian government,” the researchers found. Still, they noted that they are “not in a position in this report to conclusively attribute Nile Phish to a particular sponsor.”
Why is phishing so favored by attackers?
The researchers described credential phishing as “the royal road to account compromise.”
“While we cannot know Nile Phish operators’ reasons for choosing phishing, assuming they have access to other techniques, we can speculate that they used social engineering because it works,” they noted. “A phishing campaign has a number of advantages, even for operators capable of obtaining expensive and sophisticated malware.”
Phishing campaigns are cheap to deploy, easy to scale, can be adapted quickly to hit new targets, they don’t require attackers to “sacrifice” pricy tools or malware in order to achieve their goal, and they don’t have to know anything about the device or software used by the targets.
In addition to this, the attacks are difficult to attribute to specific attackers, and the targeted accounts (email, file hosting) often contain huge troves of data.
Likely NGO targets can protect themselves and their accounts by using more secure forms of 2-factor authentication (authenticator apps and physical security keys) as well as undergoing anti-phishing training. Both methods have their limitations and are not foolproof, but increase the “cost-to-phish.”