Over the course of the last year, a number of human rights organizations, labor unions, and journalists were targeted in a “phishing” campaign that attempted to steal the Google credentials of targets by luring them into viewing documents online. The campaign, uncovered by Amnesty International, is interesting largely because of the extent to which whoever was behind the attack used social media to create a complete persona behind the messages—a fictional rights activist named Safeena Malik.
Malik translates from Arabic as “King,” so Amnesty International refers to the spear-phishing campaign in a report posted to Medium today as “Operation Kingphish.”
The party or parties behind the operation created Facebook, Google, LinkedIn, and Twitter profiles for “Safeena Malik” using a young woman’s photos, which were apparently harvested from another social media account. “It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile,” wrote Nex, a security researcher working with Amnesty International, “along with a professional biography also stolen from yet another person.”
While there was only one post on the Twitter account associated with the constructed identity—a one-word “hi” post when the account was created in December 2014—”she” was much more active on Facebook and LinkedIn (where the identity had accumulated more than 500 connections).
The operators behind the “Safeena Malik” identity used their amassed contacts to specifically target people associated with the rights of migrant workers in Qatar—journalists, activists, and labor union officials. Amnesty International was not directly targeted in the campaign. Large numbers of workers from Nepal and other countries have been brought to Qatar, particularly to perform construction work on stadiums and facilities for the 2022 World Cup—and there have been concerns raised over the treatment of those workers. So far, more than 1,200 migrant workers from Nepal and India have died working on the World Cup projects.
Targets would receive e-mails and social media messages from “Safeena Malik” in bursts, asking them to look at documents or presentations on Qatari human rights issues or offering forged requests to link up via Google’s Hangouts chat service. The phishing e-mails would lead to a phishing site crafted specifically for the targets, presenting their (harvested) Google account avatar as part of a page mimicking a Google account login. After capturing their credentials (in the cases where the links purported to be for documents), the page would forward them to an actual Google Docs document pilfered from another source to reduce suspicions about what had happened.
The campaign bears all the hallmarks of the textbook social media/social engineering campaign “Robin Sage,” an experiment by security researcher Thomas Ryan. Ryan created a fake profile on Facebook for Robin Sage—a young, attractive “Cyber Threat Analyst” at Naval Network Warfare Command. (“Robin Sage” is also the name of the two-week final exercise that Army Special Forces candidates are put through eight times a year at Fort Bragg, North Carolina—which one might have thought would have tipped off someone.) In his research, presented at the Black Hat conference in 2010, Ryan reported:
By the end of this experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences…Through this 28?day experiment, it became evident that the propagation of a false identity via social networking websites can be rampant and viral. Much of the information revealed to Robin Sage violated OPSEC and PERSEC procedures.
It is not known who is behind the phishing campaigns. But some of the accounts that were compromised were logged into from an IP address connected to an Internet provider in Doha, Qatar. The Qatari government has denied involvement.