searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
February 2, 2017
Share

Egyptian civil society NGOs targeted with sophisticated phishing

In the last few months, a number of Egyptian civil society organizations, lawyers, journalists, and independent activists have been targeted with personalized and generic emails aimed at revealing their Gmail or Dropbox credentials to the attackers.

NGOs phishing

The targets believe that the attacks are sponsored by the Egyptian government, which has been cracking down on dissenters and activists for a few years now. They might be right, as some of the phishing pages created by the attackers do contain comments in a form of Arabic slang used in Egypt.

Research findings

A report compiled by researchers from Citizen Lab and a technologist from the Egyptian Initiative for Personal Rights reveals some examples of the phishing emails used, as well as details about the campaign that was mounted.

The researchers discovered that the campaign was effected in two stages, each with distinct phishing tactics and domains.

In the first stage, the emails were extremely personalized and some leveraged very recent events. In one particular instance, emails supposedly containing documents regarding the arrest of a lawyer that happened mere hours before were delivered to a number of targets, indicating that the attackers had insider knowledge about the arrest, and have therefore ties to the Egyptian state.

In the second phase, the emails were more “generic,” mostly impersonating Google (i.e. Gmail) and emphasizing account security issues.

The researchers discovered that the Nile Phish attackers (as the’ve dubbed them) used open-source phishing framework GoPhish to mount the campaign. Also, they’ve managed to tie the two phases back to the same actors because of a technical error that allowed them to link the different server infrastructures used in the two stages.

“Nile Phish’s sponsor clearly has a strong interest in the activities of Egyptian NGOs, specifically those charged by the Egyptian government in Case 173 [a legal case brought by the Egyptian government against NGOs]. The Nile Phish operator shows intimate familiarity with the targeted NGOs activities, the concerns of their staff, and an ability to quickly phish on the heels of action by the Egyptian government,” the researchers found. Still, they noted that they are “not in a position in this report to conclusively attribute Nile Phish to a particular sponsor.”

Why is phishing so favored by attackers?

The researchers described credential phishing as “the royal road to account compromise.”

“While we cannot know Nile Phish operators’ reasons for choosing phishing, assuming they have access to other techniques, we can speculate that they used social engineering because it works,” they noted. “A phishing campaign has a number of advantages, even for operators capable of obtaining expensive and sophisticated malware.”

Phishing campaigns are cheap to deploy, easy to scale, can be adapted quickly to hit new targets, they don’t require attackers to “sacrifice” pricy tools or malware in order to achieve their goal, and they don’t have to know anything about the device or software used by the targets.

In addition to this, the attacks are difficult to attribute to specific attackers, and the targeted accounts (email, file hosting) often contain huge troves of data.

Likely NGO targets can protect themselves and their accounts by using more secure forms of 2-factor authentication (authenticator apps and physical security keys) as well as undergoing anti-phishing training. Both methods have their limitations and are not foolproof, but increase the “cost-to-phish.”

More about
  • account hijacking
  • cyber espionage
  • Dropbox
  • Gmail
  • government
  • phishing
  • privacy
  • surveillance
Share this

Featured news

  • Google triples reward for Chrome full chain exploits
  • MOVEit Transfer zero-day attacks: The latest info
  • Qakbot: The trojan that just won’t go away
Spin Up A CIS Hardened Image

Sponsored

The best defense against cyber threats for lean security teams

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

Don't miss

Google triples reward for Chrome full chain exploits

MOVEit Transfer zero-day attacks: The latest info

Qakbot: The trojan that just won’t go away

How defense contractors can move from cybersecurity to cyber resilience

Introducing the book: Cybersecurity First Principles

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us