The Electronic Frontier Foundation (EFF) confirmed that a sophisticated spear-phishing campaign targeted the employees of Internet freedom NGOs “Free Press” and “Fight for the Future”
The EFF revealed that it is aware at least 70 attempts to steal the credentials of net neutrality activists between July 7 and August 8.
Hackers attempted to gather credentials associated with online services, including Google, Dropbox, and LinkedIn, and at least in one case, they succeeded.
The hackers compromised an account and used to launch spear-phishing attacks against other targets.
According to the experts, the campaign was managed by a single threat actor, they pointed out that attackers did not use malware to targets victims.
“This report describes “Phish For The Future,” an advanced persistent spearphishing campaign targeting digital civil liberties activists at Free Press and Fight For the Future. Between July 7th and August 8th of 2017 we observed almost 70 spearphishing attempts against employees of internet freedom NGOs Fight for the Future and Free Press, all coming from the same attackers.” reads the report published by EFF.
The attackers used various social engineering technique to trick victims into providing their credentials.
In some cases, attackers used fake LinkedIn notification messages containing links to Gmail phishing sites.
“Another attack pretended to be from a target’s husband, sharing family photos; the email was forged to include the husband’s name. ” continues the report.
In another attempt, the attackers sent messages related to a YouTube aggressive and hateful comment for a real YouTube video that the target had uploaded.
Who is behind the attack?
The EFF only pointed out that the threat actor appears to be working from an office, with Saturday and Sunday off, during working hours associated with the UTC+3 – UTC+5:30 timezones. This circumstance suggests that attackers may be located in Eastern Europe, Russia, part of the Middle East, or India, but Saturday and Sunday are not weekend days in many Middle Eastern countries.
Unfortunately, the IP from which the one compromised account was accessed did not provide any clues as it was associated with a VPN service.
“The sophistication of the targeting, the accuracy of the credential phishing pages, the working hours, and the persistent nature of the attacks seem to indicate that the attackers are professionals and had a budget for this campaign,” continues the analysis.
Cyber criminals or state-sponsored hackers?
Researchers with the EFF don’t believe the spear-phishing campaign against Freedom Activists has been carried out by a nation-state actor.
“Although this phishing campaign does not appear to have been carried out by a nation-state actor and does not involve malware, it serves as an important reminder that civil society is under attack. It is important for all activists, including those working on digital civil liberties issues in the United States, to be aware that they may be targeted by persistent actors who are well-informed about their targets’ personal and professional connections,” the EFF said.