MADRID: As previously warned by Skyline, attackers are now
developing new techniques and methods based on avoiding digital security tools to target human rights defenders and activists in Arab countries.
A recently published report by Amnesty International stated
that the newly developed phishing techniques are being used
by attackers to persuade human rights defenders who undertake additional steps to secure their online accounts.
These tactics include the misuse of legitimate applications to
infiltrate targeted accounts by asking users to reset their
password on their Google accounts, tricking them to agree to link their accounts to applications that claim to “lock” their Outlook accounts.
In July 2019, the organization said it had received malicious
emails revealing a new phishing campaign targeting human
rights defenders, which it believes was arranged by attackers who carried out previous abuses in December 2018.
There are three new tactics in the latest phishing campaign.
The first tactic is the “Reset your password” bait and it is considered one of the most common tricks.
Attackers send emails to their targets impersonating Google,
claiming to alert the recipients of unsuccessful suspicious access attempts, and suggests to secure their accounts.
These emails deceive the targeted people that it is alarming
and urgent, therefore they disclose the login data believing that Google will reset their passwords.
The report shows that the attackers in the recent campaign
have taken extra precaution to make their malicious messages and phishing pages as credible as possible so that the identification of such attacks is nearly impossible.
The second tactic is phishing via Outlook using malicious
third-party applications rather than creating fake login pages or fake password reset forms.
Hackers sometimes use what is commonly referred to as
“OAuth phishing “, which is an internet standard used to allow verification of user identity through external services without having to share passwords.
It is commonly used by legitimate application developers to
allow the connection between their software and existing accounts on the network.
Attackers use this structure to create malicious third-party applications to trick their targets into allowing them to access their accounts.
Therefore, attackers using the OAuth phishing do not need to steal login data, they
simply exploit the legitimate functionality provided by online platforms such as Google, Microsoft and Facebook.
Since account login data is verified on legitimate sites, no two-step verification formula – including security keys – can detect this phishing.
The third tactic is Google phishing by exploiting legitimate third-party applications.
In most cases of phishing via OAuth, attackers create
malicious third-party applications to steal data from targeted accounts, but in that last campaign, they began exploiting the verification procedures used by legitimate and approved third-party applications.
What is phishing?
Electronic password phishing (or “phishing based on
password theft”) is a technical intrigue designed to access login data for personal accounts (i.e. username and password).
The schema is based on the creation of a website that
impersonates the original site and simulates the login page of the account of a particular service on the Internet.
such as “Gmail” or “Facebook”, to deceive the user to disclose
data in the fields shown, and once the data is entered it is sent to the attacker.
The electronic phishing of login data, which is the common
tactic used by attackers, continues to pose a threat to online human rights defenders causing hundreds of victims worldwide.
The Skyline International has issued a comprehensive guide
for activists in the Arab world on the use of electronic devices to protect their data.