'Phishing' attacks target activists over Qatar and Egypt

Investigations by Amnesty International have uncovered an elaborate "phishing" campaign which targeted dozens of activists, trade unionists and journalists working on the issue of migrant labourers' rights in Qatar.

Amnesty's revelations come just two weeks after the exposure of a separate phishing campaign directed against civil society organisations in Egypt.

The aim of phishing attacks is to trick people into disclosing sensitive personal information, such as internet passwords, in order to use it for malicious purposes.

Phishing is not uncommon and is often an attempt to steal money from the victim but the Qatar-related attacks seem to have been politically motivated and were unusually intricate. They involved the creation of a fake online persona using the name "Safeena Malik" – supposedly a young university graduate carrying out research into human trafficking.

Amnesty's report gives several examples of how "Safeena" worked. In one instance she contacted her target seeking help with her research and then offered to share her own research with the target. Amnesty continues:

"In the course of this email correspondence, the attacker – 'Safeena' – then sent what appeared to be invitations to access several documents on Google Drive.

<a href=Click here to enlarge" src="/sites/default/files/phishing1.png" style="border-style:solid; border-width:1px; height:298px; width:400px" />

"The links and buttons contained in the emails would direct the victim to a webpage that looked something like this:

<a href=Click here to enlarge" src="/sites/default/files/phishing2.png" style="border-style:solid; border-width:1px; height:340px; width:400px" />

"The page is designed to mimic a standard Google login page, with a high degree of accuracy. While most common phishing pages would only provide an empty form to enter an email address and password, this one instead is configured to display the profile picture, the account name, and the email address of the victim. This is obscured in the above screenshot to protect the privacy of the victim.

"This design effectively replicates a real Google login page, which would similarly display the same information if you had previously logged into your account from a computer. The attackers were meticulous in making their phishing page as credible as possible.

"Interestingly, after the victims would have entered their Google account credentials, they would be redirected to an actual document hosted on Google Drive, effectively recreating a normal browsing experience in order to avoid suspicion."

Obtaining login details in this way can give access to the target's email account. That, in turn, would allow attackers to compile details of the target's contacts and sources of information, as well as being able to abuse their accounts for impersonation. 

Amnesty says the attackers logged into some of the "harvested" email accounts through Ooredoo, an internet service provider based in Qatar. The Qatari government has denied any connection with the attacks.

The use of a fake persona to contact and try to befriend the phishers' targets is reminiscent of the tactics employed by Voiceless Victims, a fake human rights organisation which was exposed by another Amnesty International investigation last December. Voiceless Victims also appears to have been trying to snoop on organisations and individuals campaigning in support of migrant workers in Qatar, but there is currently no evidence linking Voiceless Victims to the phishing attacks.

Egyptian activists targeted

Earlier this month the Toronto-based Citizen Lab issued a detailed report on a campaign dubbed "Nile Phish" which targeted prominent civil society organisations in Egypt – organisations which have also suffered harassment from the Sisi regime. The targets included:

  • Cairo Institute for Human Rights Studies
  • Egyptian Initiative for Personal Rights
  • Egyptian Commission for Rights and Freedoms
  • Nadeem Center for Rehabilitation of Victims of Violence
  • Nazra for Feminist Studies
  • Association for Freedom of Thought and Expression

(The Nadeem Center was forcibly closed down by police last week.)

The Citizen Lab comments:

"Nile Phish’s sponsor clearly has a strong interest in the activities of Egyptian NGOs, specifically those charged by the Egyptian government in Case 173. The Nile Phish operator shows intimate familiarity with the targeted NGOs activities, the concerns of their staff, and an ability to quickly phish on the heels of action by the Egyptian government.  For example, we observed phishing against the colleagues of prominent Egyptian lawyer Azza Soliman, within hours of her arrest in December 2016. The phishing claimed to be a copy of her arrest warrant.

"We are not in a position in this report to conclusively attribute Nile Phish to a particular sponsor. However, the scale of the campaign and its persistence, within the context of other legal pressures and harassment, compound the extremely difficult situation faced by NGOs in Egypt."

Needless to say, the Egyptian government denies being involved in the phishing attacks.