New Wave of Facebook Phishing Attacks Targets Syrian Activists
The campaign of attacks targeting Syrian opposition activists on the Internet continues to intensify. Since the beginning of the year, Syrian opposition activists have been targeted using several Trojans, which covertly install spying software onto the infected computer, as well as phishing attacks which steal YouTube and Facebook login credentials.
Since April 9th, EFF has seen at least five new phishing attacks, the aim of which is to steal Facebook logins and passwords; some attacks also involve a component that covertly installs surveillance malware onto the targeted computer. One of these attacks was seeded through links in comments left on the Facebook pages of prominent members of the Syrian opposition, including Burhan Ghalioun, Chairman of the Syrian Opposition Transitional Council. Ghalioun has been the target of numerous hacking attempts. Last week, members of the Syrian Electronic Army leaked emails purporting to demonstrate collaboration between Ghalioun and officials in the United States and Saudi Arabia. Ghalioun's email account was reportedly targeted in retaliation for the Syrian opposition's leak of emails allegedly allegedly belonging to Syrian president Bashar Assad and his wife.
The link left in the comments section of Ghalioun's Facebook page led to a site, displayed in the screenshot below.
The site appears to offer a Facebook security application. Downloading the application provides you with a file called FacebookWebBrowser.exe, shown in the screenshot below. FacebookWebBrowser.exe is a malicious application which logs keystrokes and steals login credentials for email accounts, YouTube, Facebook, Skype, and others. At this time, FacebookWebBrowser.exe is recognized as malicious by six anti-virus vendors. The malicious application can be seen in the screenshot below.
The fake Facebook security application is hosted on a compromised domain: http://www.ckku.com. The index page appears to host a legitimate jewelery-vending website, but the domain has been hosting malicious content since March 18, 2012, as can be seen in the index of includes shown in the screenshot below.
Review of the compromised website reveals evidence of another malicious application disguised as a Document file (Document.doc .exe) and of additional Facebook phishing campaigns, including the phishing site shown in the screenshots below.
Phishing page from March 18th, 2012.
Phishing page from April 20th, 2012.
EFF has also reported on phishing attacks hosted by Cixx6, a free hosting website. Since that time, three additional Facebook phishing attempts targeted at Syrian activists, all using slightly different URLs, have been found hosted at this domain. The pages can be seen in the three screenshots below. These links are usually accompanied by descriptions in Arabic alleging the mistreatment of women by Syrian government forces during the ongoing uprising.
Phishing page from April 9th, 2012.
Phishing page from April 11th, 2012.
Phishing page from April 16th, 2012.
This attack steals usernames and passwords and could potentially give an attacker access to all of the private information in your Facebook account. Syrian Facebook users should also be cautious about clicking on links sent over Facebook by their friends, whose accounts may have been compromised.
Facebook users should be especially cautious about clicking on links in the comment sections of pro-Syrian-revolution forums, especially if they are accompanied by this text. Facebook users should beware of fake pages that resemble the Facebook login page. Always check the URL bar at the top of your browser to make sure it reads https://www.facebook.com. When in doubt, type https://www.facebook.com manually to get to Facebook.
EFF is deeply concerned to see targeted attacks on Syrian Internet activists continue. We are especially alarmed to see evidence of the targeting of high-profile figures in the Syrian opposition and indications that extended phishing campaigns are being carried out by multiple groups.