Sign up for weekly updates

"Phish For the Future" campaign targets digital civil liberties activists

In this 27 February 2013 file photo illustration, a man types on a keyboard in Los Angeles
In this 27 February 2013 file photo illustration, a man types on a keyboard in Los Angeles

AP Photo/Damian Dovarganes, File

This statement was originally published on on 27 September 2017.

This report describes "Phish For The Future," an advanced persistent spearphishing campaign targeting digital civil liberties activists at Free Press and Fight For the Future. Between July 7th and August 8th of 2017 we observed almost 70 spearphishing attempts against employees of internet freedom NGOs Fight for the Future and Free Press, all coming from the same attackers.

This campaign appears to have been aimed at stealing credentials for various business services including Google, Dropbox, and LinkedIn. At least one account was compromised and was used to send out additional spearphishing emails to others in the organization. Because the compromised account had been neglected for years and contained no recent activity, we suspect the attackers were trying to leverage trust in order to compromise a more recent or high-value account. We were unable to determine what the secondary goal of the campaign was after the credentials were stolen. The attackers were remarkably persistent, switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time.

An example of a google credential phishing page
An example of a google credential phishing page


Some of the attacks were generic, such as a link to view a Gmail document supposedly sent by a co-worker or a LinkedIn notification message from a colleague. Other spearphishing attempts demonstrated quite a bit more ingenuity. One attempt, which targeted Evan Greer, Campaign Director of Fight For The Future, pretended to be a question about where to find the link to buy her music, which is available online. Evan replied with a link. The attacker replied with an email in which they complained that the link was not working correctly, having replaced the link with a phishing page made to look like a Gmail login. Another attack pretended to be from a target's husband, sharing family photos; the email was forged to include the husband's name. Yet another attack pretended to be a YouTube comment for a real YouTube video that the target had uploaded. As one might expect from a YouTube comment, the contents of the fake comment were quite aggressive and hateful.

Other attacks involved sending clickbait headlines to try to get the targets' interest. Some of the headlines are designed to appeal to the political interests of the targets, such as: "George W. Bush ON TRUMP'S TWEET: A FREE PRESS IS 'INDISPENSABLE TO DEMOCRACY,'" "Chelsea Manning's release is the inspiring proof: nothing is impossible," and "Net Neutrality Activists 'Rickroll' FCC Chairman Ajit Pai." While others are lurid clickbait, presumably designed to embarrass the recipient into clicking a fake unsubscribe link such as "Porn star Jessica Drake claims Donald Trump offered her $10G, use of his private jet for sex," and "Reality show mom wants to hire a hooker for her autistic son." The combination of headlines which would appeal to leftist activists and tabloid clickbait which is embarrassing to be found in one's work email seems well designed to attract the attention of the targets. Each of the emails contained an "unsubscribe" link which lead the user to a gmail credential phishing page such as the one above.

Read the full report on EFF's site.

Latest Tweet:

#Honduras: nuestro miembro @CLibrehn presentó propuesta para despenalizar delitos contra el honor

Get more stories like this

Sign up for our newsletters and get the most important free expression news delivered to your inbox.