searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
February 2, 2017
Share

Egyptian civil society NGOs targeted with sophisticated phishing

In the last few months, a number of Egyptian civil society organizations, lawyers, journalists, and independent activists have been targeted with personalized and generic emails aimed at revealing their Gmail or Dropbox credentials to the attackers.

NGOs phishing

The targets believe that the attacks are sponsored by the Egyptian government, which has been cracking down on dissenters and activists for a few years now. They might be right, as some of the phishing pages created by the attackers do contain comments in a form of Arabic slang used in Egypt.

Research findings

A report compiled by researchers from Citizen Lab and a technologist from the Egyptian Initiative for Personal Rights reveals some examples of the phishing emails used, as well as details about the campaign that was mounted.

The researchers discovered that the campaign was effected in two stages, each with distinct phishing tactics and domains.

In the first stage, the emails were extremely personalized and some leveraged very recent events. In one particular instance, emails supposedly containing documents regarding the arrest of a lawyer that happened mere hours before were delivered to a number of targets, indicating that the attackers had insider knowledge about the arrest, and have therefore ties to the Egyptian state.

In the second phase, the emails were more “generic,” mostly impersonating Google (i.e. Gmail) and emphasizing account security issues.

The researchers discovered that the Nile Phish attackers (as the’ve dubbed them) used open-source phishing framework GoPhish to mount the campaign. Also, they’ve managed to tie the two phases back to the same actors because of a technical error that allowed them to link the different server infrastructures used in the two stages.

“Nile Phish’s sponsor clearly has a strong interest in the activities of Egyptian NGOs, specifically those charged by the Egyptian government in Case 173 [a legal case brought by the Egyptian government against NGOs]. The Nile Phish operator shows intimate familiarity with the targeted NGOs activities, the concerns of their staff, and an ability to quickly phish on the heels of action by the Egyptian government,” the researchers found. Still, they noted that they are “not in a position in this report to conclusively attribute Nile Phish to a particular sponsor.”

Why is phishing so favored by attackers?

The researchers described credential phishing as “the royal road to account compromise.”

“While we cannot know Nile Phish operators’ reasons for choosing phishing, assuming they have access to other techniques, we can speculate that they used social engineering because it works,” they noted. “A phishing campaign has a number of advantages, even for operators capable of obtaining expensive and sophisticated malware.”

Phishing campaigns are cheap to deploy, easy to scale, can be adapted quickly to hit new targets, they don’t require attackers to “sacrifice” pricy tools or malware in order to achieve their goal, and they don’t have to know anything about the device or software used by the targets.

In addition to this, the attacks are difficult to attribute to specific attackers, and the targeted accounts (email, file hosting) often contain huge troves of data.

Likely NGO targets can protect themselves and their accounts by using more secure forms of 2-factor authentication (authenticator apps and physical security keys) as well as undergoing anti-phishing training. Both methods have their limitations and are not foolproof, but increase the “cost-to-phish.”

More about
  • account hijacking
  • cyber espionage
  • Dropbox
  • Gmail
  • government
  • phishing
  • privacy
  • surveillance
Share this

Featured news

  • We can’t rely on goodwill to protect our critical infrastructure
  • The emergence of trinity attacks on APIs
  • Hybrid cloud storage security challenges
Guide: How virtual CISOs can efficiently extend their services into compliance readiness

Sponsored

eBook: 4 ways to secure passwords, avoid corporate account takeover

Here’s the deal: Uptycs for all of 2023 for $1

2022 Cloud Data Security Report

Don't miss

Patch your Jira Service Management Server and Data Center and check for compromise! (CVE-2023-22501)

We can’t rely on goodwill to protect our critical infrastructure

The emergence of trinity attacks on APIs

Hybrid cloud storage security challenges

Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076)

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us