Digital civil liberties activists were hit with a barrage of phishing emails earlier this summer designed to wrest away business credentials.
Activists with Fight for the Future, a nonprofit that’s campaigned against backdoors in mobile phones and for Net neutrality, and Free Press, a group that advocates for a free and open internet, received almost 70 phishing attempts over the course of a month, from July 7 to Aug. 8.
According to Eva Galperin and Cooper Quintin, technologists with the Electronic Frontier Foundation who analyzed the campaign, the phishing attempts ran the gamut; some were generic, some were extremely clever.
Some attacks simply sent the victim a link to view a fake Gmail document or LinkedIn notification. One attack pretended to come from a target’s husband; the email was forged to include the husband’s actual name, Galperin and Cooper wrote. Another attack pretended to come as comment from YouTube from a legitimate YouTube video the target had uploaded.
Other attacks scared victims into thinking pornographic content was getting sent to their work email; phishing attacks with subject lines akin to “You have been successfully subscribed to Pornhub[.]com” were sent to activists and followed up with emails with explicit subject lines. If a user clicked through to an unsubscribe link at the bottom of the emails they were redirected to a phony Google login page designed to steal their login.
The phishing campaign started a few days before July 12, a date dubbed the Save Net Neutrality Day of Action, when thousands of of sites, activists, and web services came together to protest the FCC’s proposed rollback of net neutrality protections.
We were targeted by a sophisticated phishing campaign, starting just before the big #NetNeutrality day of action back in July. https://t.co/CqV82AorO5
— Fight for the Future (@fightfortheftr) September 27, 2017
The Campaign Director for Fight For The Future, Evan Greer told Threatpost the non-profit has a series of robust security practices in place and thankfully realized early on the attacks may have been connected.
“At the height of the campaign we were getting several attempts per day, Greer said, “We did contact EFF and some other groups to help us look into this, and we’re very grateful for all of their support,” Greer told Threatpost Thursday.
The attacks were designed specifically to siphon away credentials for the activists’ Google, Dropbox, and LinkedIn accounts, Galperin and Cooper said. The EFF didn’t specify which organization was hit but said that at least one account was compromised by the campaign. The account, which hadn’t been used in years, was used to send out additional spearphishing emails to others in the organization.
It’s unclear if the attackers simply disagreed with the activists’ efforts or if there was a purpose behind the phishing.
“We were unable to determine what the secondary goal of the campaign was after the credentials were stolen. The attackers were remarkably persistent, switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time,” a technical analysis of the campaign reads.
While not overly technical and absent of malware, the campaign should serve as a reminder that civil liberties aren’t immune from such attacks, Galperin and Cooper said Wednesday.
“Although this phishing campaign does not appear to have been carried out by a nation-state actor and does not involve malware, it serves as an important reminder that civil society is under attack,” the two wrote. “It is important for all activists, including those working on digital civil liberties issues in the United States, to be aware that they may be targeted by persistent actors who are well-informed about their targets’ personal and professional connections.”
The EFF has a knack for helping victims sniff out phishing attacks, especially those that target internet activists. Galperin and Morgan Marquis-Boire, now a senior researcher and technical adviser at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, helped identify a campaign targeting Syrian activists several years back. Quintin described a spear phishing campaign that ironically pretended to come from the EFF in 2015.
Citizen Lab, for its part, helped uncover a nasty phishing campaign with several targets, including Mexican journalists, lawyers, an international investigatory group, and even a child, earlier this summer. If clicked through the phishing links directed victims to commercially-produced spyware believed to be spread by the Mexican government.