March 29, 2012 | By Eva Galperin and Morgan Marquis-Boire

Syrian Activists Targeted With Facebook Phishing Attack

Facebook has been a popular place for Syrian Internet activists to share their opposition to the Assad regime ever since the site was unblocked by the Syrian government in early 2011. While some interpreted the Assad regime's decision to allow access to Facebook as a positive sign, others feared that the government had made Facebook available for the purpose of entrapping Syrian activists.

In the past month, EFF has reported on several instances of pro-Syrian-government hackers targeting Syrian Internet activists using malware spread through chats and emails, as well as updates downloaded from a fake YouTube site. Most recently, we've seen reports from Syrian opposition networking specialists of a phishing attack aimed at Syrian activists, spread primarily on pro-revolution forums on Facebook.

The screenshot below shows the phishing link accompanied by the following text in Arabic: Urgent and critical.. video leaked by security forces and thugs.. the revenge of Assad's thugs against the free men and women of Baba Amr in captivity and taking turns raping one of the women in captivity by Assad's dogs.. please spread this.

The screenshot below displays the link in a comment under a pro-revolution video. The phishing link is accompanied by the following text in Arabic: Urgent. The thug Sharif Shihada was arrested by the Free Army. Captured by Ahrar Al Qlamoun battalion... please spread the video of him denouncing the Syrian Regime... Allahu Akbar, victory to our revolution and Free Army.

The screenshot below shows the fake Facebook login page. Note the non-Facebook URL in the URL bar of the browser.

Facebook users should be especially cautious about clicking on links in the comment sections of pro-Syrian-revolution forums, especially if they are accompanied by this text. Facebook users should beware of fake pages that resemble the Facebook login page. Always check the URL bar at the top of your browser to make sure it reads https://www.facebook.com. When in doubt, type https://www.facebook.com manually to get to Facebook.

This attack steals usernames and passwords and could potentially give an attacker access to all of the private information in your Facebook account. Syrian Facebook users should also be cautious about clicking on links sent over Facebook by their friends, whose accounts may have been compromised.

EFF is deeply concerned to see targeted attacks on Syrian Internet activists increasing in number and using increasingly diverse methods. We will continue to keep a close eye on developments.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Sen. Majority Leader McConnell thinks he's living in a world where the Snowden leaks never happened: https://eff.org/r.dbpu

May 22 @ 3:13pm

Diverse groups stand united against any short-term reauthorization of Section 215: https://eff.org/r.2dbm

May 22 @ 2:49pm

The Garcia v. Google dissent may give a scary glimpse of the future of undemocratic copyright policy laundering: https://eff.org/r.i11k

May 22 @ 2:23pm
JavaScript license information