A spear-phishing campaign known as “Phish for the Future” targeted activists who have a history of championing users’ digital civil liberties.
Between 7 July and 8 August 2017, two digital civil liberty non-governmental organizations (NGOs) called “Fight for the Future” and “Free Press” suffered at least 70 different spearphishing attempts from the same actor. Most of the lures came in the form of fake pages designed to lift the recipient’s Google or DropBox login credentials.
The attackers were successful in one case and abused the compromised account to send out additional spearphishing messages. But they never secured access to additional files. Therefore, it’s impossible to say what the phishers were exactly after in their campaign.
Many of the attempts simply consisted of a message instructing the recipient to view a Google Doc or Dropbox file. Others used fake adult website subscriptions to increase the likelihood of a click on an unsubscribe button that redirected to a credential-stealing webpage.
Some were even a little more involved than that. One masqueraded as a YouTube comment to a legitimate video uploaded by the target to the video sharing platform. Another posed as the target’s husband under the pretense of sharing family photos.
Still others were even more sophisticated. Eva Galperin and Cooper Quintin of the Electronic Frontier Foundation elaborate on such a ruse:
“One attempt, which targeted Evan Greer, Campaign Director of Fight For The Future, pretended to be a question about where to find the link to buy her music, which is available online. Evan replied with a link. The attacker replied with an email in which they complained that the link was not working correctly, having replaced the link with a phishing page made to look like a Gmail login.”
All indications suggest that an actor who registered the email address amandalovers@mail[.]com directly created at least some of the 16 top-level domains (TLDs) associated with the campaign or spawned other domains that shared servers with some of the domains seen in these attacks.
Whoever the attacker is, it’s safe to assume that there will ultimately be more like them. Galperin and Quintin clarify that point:
“Although this phishing campaign does not appear to have been carried out by a nation-state actor and does not involve malware, it serves as an important reminder that civil society is under attack. It is important for all activists, including those working on digital civil liberties issues in the United States, to be aware that they may be targeted by persistent actors who are well-informed about their targets’ personal and professional connections.”
For added protection, digital civil liberties activists should enable optional security measures such as two-step verification (2SV) or two-factor authentication (2FA) on their web accounts. Doing so will strengthen their accounts’ security even if someone makes off with their login credentials.
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security