Activists targeted with barrage of creative phishing attempts

More often than not, the human element is the weakest link in the security chain. This fact is heavily exploited by cyber attackers, and makes phishing and spear-phishing attempts the most likely and most effective method to start an attack.

If the attackers are after a specific target there’s seemingly no end to the different lures they can come up with, as digital civil liberties activists at Free Press and Fight For the Future have recently witnessed.

The campaign

According to Electronic Frontier Foundation’s technologists Eva Galperin and Cooper Quentin, between July 7th and August 8th of 2017 the activists were hit with almost 70 spearphishing attempts aimed at stealing Google, Dropbox, and LinkedIn credentials.

“The attackers were remarkably persistent, switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time,” they noted.

The phishing emails ran the gamut from generic to extremely targeted, and tried to exploit the targets’ curiosity, anxiety, embarrassment or anger. Here are a few examples:

• Generic emails supposedly sent by co-workers, with links to view a document or invitation
• Emails with clickbait headlines appealing to the political interests of the targets or with lurid subjects aimed to embarrass the recipient into clicking a fake unsubscribe link. This latter approach also included fake confirmations of subscription to adult sites
• Emails made to look like they were sent by members of the targets’ family, with links that ostensibly lead to shared family photos
• Requests for links to specific content (e.g. the target’s music available online). The attacker replied to the sent information and claimed the link did not work correctly – but replaced it with one that pointed to a Gmail phishing page
• An email made to look like it was coming from a YouTube user that commented (aggressively and hatefully) on a real YouTube video that the target had uploaded.

“The sophistication of the targeting, the accuracy of the credential phishing pages, the working hours, and the persistent nature of the attacks seem to indicate that the attackers are professionals and had a budget for this campaign,” the technologists shared.

“Although this phishing campaign does not appear to have been carried out by a nation-state actor and does not involve malware, it serves as an important reminder that civil society is under attack. It is important for all activists, including those working on digital civil liberties issues in the United States, to be aware that they may be targeted by persistent actors who are well-informed about their targets’ personal and professional connections.”

Thwarting phishers

Luckily, there is a simple way for foiling this type of attack: enable two-factor authentication on all important accounts.

In fact, activists are not the only ones who should enable 2FA where possible. Seeing that our accounts often contain sensitive information that we wouldn’t want to see compromised and that hijacked accounts can effectively be used for further phishing and scam attempts, everybody should set it up.