'Phish for the Future' spearphishing campaign set digital civil liberty activists in its sights

Well, you can’t say they weren’t persistent…

'Phish for the Future' spear-phishing campaign set digital civil liberty activists in its sights

A spear-phishing campaign known as "Phish for the Future" targeted activists who have a history of championing users' digital civil liberties.

Between 7 July and 8 August 2017, two digital civil liberty non-governmental organizations (NGOs) called "Fight for the Future" and "Free Press" suffered at least 70 different spearphishing attempts from the same actor. Most of the lures came in the form of fake pages designed to lift the recipient's Google or DropBox login credentials.

The attackers were successful in one case and abused the compromised account to send out additional spearphishing messages. But they never secured access to additional files. Therefore, it's impossible to say what the phishers were exactly after in their campaign.

Media 20170921 1

An example of a Google credential phishing page. (Source: EFF)

Many of the attempts simply consisted of a message instructing the recipient to view a Google Doc or Dropbox file. Others used fake adult website subscriptions to increase the likelihood of a click on an unsubscribe button that redirected to a credential-stealing webpage.

Some were even a little more involved than that. One masqueraded as a YouTube comment to a legitimate video uploaded by the target to the video sharing platform. Another posed as the target's husband under the pretense of sharing family photos.

Still others were even more sophisticated. Eva Galperin and Cooper Quintin of the Electronic Frontier Foundation elaborate on such a ruse:

"One attempt, which targeted Evan Greer, Campaign Director of Fight For The Future, pretended to be a question about where to find the link to buy her music, which is available online. Evan replied with a link. The attacker replied with an email in which they complained that the link was not working correctly, having replaced the link with a phishing page made to look like a Gmail login."

All indications suggest that an actor who registered the email address amandalovers@mail[.]com directly created at least some of the 16 top-level domains (TLDs) associated with the campaign or spawned other domains that shared servers with some of the domains seen in these attacks.

Whoever the attacker is, it's safe to assume that there will ultimately be more like them. Galperin and Quintin clarify that point:

"Although this phishing campaign does not appear to have been carried out by a nation-state actor and does not involve malware, it serves as an important reminder that civil society is under attack. It is important for all activists, including those working on digital civil liberties issues in the United States, to be aware that they may be targeted by persistent actors who are well-informed about their targets’ personal and professional connections."

For added protection, digital civil liberties activists should enable optional security measures such as two-step verification (2SV) or two-factor authentication (2FA) on their web accounts. Doing so will strengthen their accounts' security even if someone makes off with their login credentials.

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

No comments yet.

Leave a Reply