New Wave of Facebook Phishing Attacks Targets Syrian Activists
The campaign of attacks targeting Syrian opposition activists on the Internet continues to intensify. Since the beginning of the year, Syrian opposition activists have been targeted using several Trojans, which covertly install spying software onto the infected computer, as well as phishing attacks which steal YouTube and Facebook login credentials.
Since April 9th, EFF has seen at least five new phishing attacks, the aim of which is to steal Facebook logins and passwords; some attacks also involve a component that covertly installs surveillance malware onto the targeted computer. One of these attacks was seeded through links in comments left on the Facebook pages of prominent members of the Syrian opposition, including Burhan Ghalioun, Chairman of the Syrian Opposition Transitional Council. Ghalioun has been the target of numerous hacking attempts. Last week, members of the Syrian Electronic Army leaked emails purporting to demonstrate collaboration between Ghalioun and officials in the United States and Saudi Arabia. Ghalioun's email account was reportedly targeted in retaliation for the Syrian opposition's leak of emails allegedly allegedly belonging to Syrian president Bashar Assad and his wife.
The link left in the comments section of Ghalioun's Facebook page led to a site, displayed in the screenshot below.
The site appears to offer a Facebook security application. Downloading the application provides you with a file called FacebookWebBrowser.exe, shown in the screenshot below. FacebookWebBrowser.exe is a malicious application which logs keystrokes and steals login credentials for email accounts, YouTube, Facebook, Skype, and others. At this time, FacebookWebBrowser.exe is recognized as malicious by six anti-virus vendors. The malicious application can be seen in the screenshot below.
The fake Facebook security application is hosted on a compromised domain: http://www.ckku.com. The index page appears to host a legitimate jewelery-vending website, but the domain has been hosting malicious content since March 18, 2012, as can be seen in the index of includes shown in the screenshot below.
Review of the compromised website reveals evidence of another malicious application disguised as a Document file (Document.doc .exe) and of additional Facebook phishing campaigns, including the phishing site shown in the screenshots below.
Phishing page from March 18th, 2012.
Phishing page from April 20th, 2012.
EFF has also reported on phishing attacks hosted by Cixx6, a free hosting website. Since that time, three additional Facebook phishing attempts targeted at Syrian activists, all using slightly different URLs, have been found hosted at this domain. The pages can be seen in the three screenshots below. These links are usually accompanied by descriptions in Arabic alleging the mistreatment of women by Syrian government forces during the ongoing uprising.
Phishing page from April 9th, 2012.
Phishing page from April 11th, 2012.
Phishing page from April 16th, 2012.
This attack steals usernames and passwords and could potentially give an attacker access to all of the private information in your Facebook account. Syrian Facebook users should also be cautious about clicking on links sent over Facebook by their friends, whose accounts may have been compromised.
Facebook users should be especially cautious about clicking on links in the comment sections of pro-Syrian-revolution forums, especially if they are accompanied by this text. Facebook users should beware of fake pages that resemble the Facebook login page. Always check the URL bar at the top of your browser to make sure it reads https://www.facebook.com. When in doubt, type https://www.facebook.com manually to get to Facebook.
EFF is deeply concerned to see targeted attacks on Syrian Internet activists continue. We are especially alarmed to see evidence of the targeting of high-profile figures in the Syrian opposition and indications that extended phishing campaigns are being carried out by multiple groups.
Recent DeepLinks Posts
Aug 3, 2015
Aug 3, 2015
Aug 3, 2015
Aug 3, 2015
Aug 3, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games