OpSyria: Hand-crafted phishing to chase Syrian activists

Telecomix SyriaHow the lamest ever phishing tool can kill Syrians.

Reflets has been continuously warning that several major western manufacturers were selling – directly or not – monitoring equipment to dictatorial regimes. This includes the French company Amesys that provided Libya with their famous mass-monitoring system Eagle, the Italian brand Area SpA that may be about to install the same kind of devices for the Syrian regime (using technology produced by the French company Qosmos), and of course the American company Blue Coat, having at least twenty of their ProxySG devices in Syria to monitor and censor the Web. All these tools have been used for years to arrest opponents who were expressing their opinions too freely on the Internet.

Far from those high-tech devices involving thousand-euro contracts, Assad’s thugs, the now famous Mukhabarat and Shabeeha, also benefit from amateurish Web developers to steal opponents’ logins and passwords on main social media and e-mail providers. And this might be even more efficient than expansive monitoring equipments.

Details on a website that is practising the « business of phishing » follow. The bell was rang by several Syrian Telecomix agents, who had noticed that the link was spread on several Syrian Revolution Facebook pages by untrusted people.

Facebook comment screenshot
An Arabic Facebook comment promoting a Hotmail phishing link while telling people it will help them increase their security

 

Account Hacking Made Easy

A developer promotes his phishing service in a video posted on YouTube, showing how easy it is to create a free acount on his website, WinBeve.com. One only needs to connect to the publicly available website, create a login, a password and provide an e-mail address which actually does not have to be valid. The process is particularly simple: once the user is logged in, the website provides him with a list of URLs to broadcast to those that he wants to trap. Whenever a victim enters his credentials on one of these pages and clicks on a fake « Login » or « Sign Up » button, the « phisher » gets an automatic message containing the credentials plus additional details such as the originating IP address. WinBeve.com provides fake login page for a lot of services, as shown by the following screenshot or by this mirror of the page.

Screenshot of the WinBeve.com website showing the phishing URLs that an attacker would have to provide to his victims.

 

This makes quite an impressive list, and the developer did not focus only on the main websites that are Facebook, Gmail, Hotmail and Twitter. This variety shows a clear will to propose a wide service that can target various kind of Internet users with habits corresponding to various areas of the world.

The developer finally proudly created a Facebook page for his project in order to promote his work.

 

A Technical Joke

A quick look at the phishing infrastructure is – for any slightly tech-aware person – litteraly hilarious. The generic process of the phishing mechanism is the following:

  1. The victim lands on a fake login page (e.g. Facebook) that WinBeve had provided to the attacker
  2. The victim enters his credentials and clicks on the « Login » or « Sign in » (or equivalent) button
  3. The user gets discretely redirected to the central WinBeve.com server which stores his credentials into the attacker’s account and redirects again the user to the legit login page (e.g. the real Facebook).

A proposed URL to trap, for instance, a Windows Live user, was http://windows-live.be.gp/h/?id=u1320783049&c=1293935758&w. Such an URL should be suspicious without even having to click on it. And this feeling should be strengthened when seeing an « official » Windows Live login formulary on that page. Moreover, by browsing back to the root directory at http://windows-live.be.gp/, other subdirectories were found, leading to phishing pages for other services such as Facebook and Yahoo, thus completely unveiling the website as being a sort of phishing repository.

But the best of all has yet to come. The user registered on the WinBeve website is simply identified by the string « id=u1320783049 » shown in the URL. This parameter is then forwarded to the WinBeve website through another URL after the victim clicked the « Login » button. In fact, the credentials also appear in cleartext in the URL leading to the WinBeve website.

All these funny flaws allowed us to emit hundreds of random fake login requests in order to try to « hide » in the mass the potentially real credentials that could have been caugth.

 

A Deadly Joke

Altought the technical process is terribly lame, there were reports of users who were actually trapped by this system and it makes no doubt that several opponents were caugth, compromising themselves and several of their Facebook contacts. Nothing can protect a user from such a phishing website as long as it is running. Tor or VPNs do not protect at all from such websites. User carefulness is the only defense.

Not only this exploit of the lack of experience of Syrian Internet users may have been particularly efficient, but it is likely that opponents outside Syria were also hit by the trick, allowing the Mukhabarat to efficiently chase cross-border opposition groups and trace even more efficiently links between people. As a reminder, Syrian opponents have been chased even in the very center of Paris by Mukhabarat having diplomatic passports. This lame trick could thus endanger more Syrians that are located outside Syria, as well as their families and friends who are still inside the country.

This also shows that regime supporters make use of techniques that go from the most advanced monitoring technologies such as what is provided by Blue Coat and Area to the most basic script kiddie creations such as this phishing platform. This is of course without mentioning torture, that is used to force people to give their credentials.

It is also another example that shows that the most technologically advanced means of monitoring are not necessarily the most efficient for spying on opponents’ activities. In fact, the people’s worst enemy is their own lack of knowledge about the basic precautions that have to be taken on Internet, and educational efforts still have to be done. This observation is by the way valid for theany country, and is repeated again and again, although it is not always related to a life-and-death matter.

 

Business as Usual

At first glance, no relation could be seen between the person who made the WinBeve website and the Syrian authorities. This developer apparently comes from Morocco and is promoting his own software around him, with the basic will to get money out of it. Unless there are relations between him and Syrian Mukhabarat that we did not notice, it looks like this person does not (want to) realize that the use of his tool can lead to dozens of people being (at least) put in jail.

This behaviour is in fact similar to what we observed from several major brands such as Blue Coat, who at first did not seem to (or did not want to) imagine that their devices were actually actively used to commit crimes.

It looks like these concerns do not really matter, when it comes to earning money. Fortunately, Telecomix efforts to shutdown the phishing pages were successful, as the providers who were hosting them blocked the associated domains quickly after they were warned. The WinBeve website looks down as well at the moment.

 

Centralised Model is Bad for Human Rights

After more than eigth months of revolution, Syrians still report that Facebook is the main tool used by Mukhabarat to chase opponents to the regime. Meanwhile, people keep using this tool to communicate, gather and perform protests activities, thus taking high risks of being caugth. Even though more Syrians register on Facebook using a fake identity, severa dozens of people are sometimes arrested at once as a consequence of a single person being previously arrested and giving up his credentials. The massive use of Facebook as a central point for gathering and organizing, associated with the fact that a hacked Facebook account reveals a person’s relationships, posts and comments history and additional personal data are some of the causes that make it an excellent chasing tool.

Centralized tools – or, should I say, commercial websites – such as Facebook and Google+ obviously show hard limits when it comes to protecting people’s privacy, because a vast part of their business is based on collecting users’ personal information. In cases such as Syria, protecting people’s privacy is a matter of life and death.

No matter how hard these brands discourage users from creating fake accounts, people should be able to gather and chat securely and anonymously while not having to make any registration of any kind that would lead to storing re-usable data on a remote server. Among the alternatives, lots of old school IRC servers allow to do this all around the Internet, including the one provided by Telecomix, where Syrians are increasingly gathering.

Twitter Facebook Google Plus email

5 thoughts on “OpSyria: Hand-crafted phishing to chase Syrian activists”

  1. I agree, many activists were arrested because of phishing, although the Mukhabrat way of phishing is very obvious and ridiculous. They use attractive, remarkable and very exaggerated titles for their phishing links, i.e: « A picture of Maher Assad died ». So you need to be very naive to fall for this trap. Now most activists use facebook web apps to get red of this trap such as « Hootsuite ».

    1. Le domaine a été bloqué et je pense qu’il y a du virtualhost derrière, donc je ne pense pas qu’il soit possible d’y accéder même si tu contrôles les DNS.

      De toute façon ce n’est visiblement pas le gouvernement syrien qui contrôlait ces sites.

      Ensuite, d’une part les Syriens peuvent utiliser d’autres DNS, d’autre part s’ils utilisent Tor, un VPN ou un darknet quelconque, ils peuvent utiliser des DNS internes échappant au contrôle gouvernemental.

  2. Thanks a lot KheOps for flooding their database so they can’t find any useful credentials ^_^

    After all, those thugs are all over the internet, we are trying to find them and report them to #opsyria.

    Also, it is a good idea to teach people these simple things like « look carefully at the URL » because it can save their lives. It’s a matter of life and death, not just a privacy.

    Viva la Revolution! Viva #opsyria! ^_^

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *