Net Neutrality Activists Targeted by Clever Pornhub-Themed Phishing Campaign

Post a Fraud Alert:

Account takeover email

Employees of US NGOs Fight for the Future and Free Press were targeted with complex spear-phishing attempts between July 7 and August 8, reported today the Electronic Frontier Foundation (EFF). Both organizations targeted in the attacks are currently fighting against for Net Neutrality in the US.

Based on currently available evidence, the attacks appear to have been orchestrated by the same attacker, located in a UTC+3-5:30 timezone, said EFF Director of Cybersecurity Eva Galperin and EFF security researcher Cooper Quintin.

At least one victim fell for the attacks

“Although this phishing campaign does not appear to have been carried out by a nation-state actor and does not involve malware, it serves as an important reminder that civil society is under attack,” said the two today.

“It is important for all activists, including those working on digital civil liberties issues in the United States, to be aware that they may be targeted by persistent actors who are well-informed about their targets’ personal and professional connections.”

At least one victim fell for the 70 fake emails sent during the phishing attempts. Attackers didn’t deliver malware but lured victims away on a remote site designed to phish Google, Dropbox, and LinkedIn credentials.

“The attackers were remarkably persistent, switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time,” EFF said.

Using porn sites to phish Google credentials

The most creative of the spear-phishing emails was when victims received emails with the subject line “You have been successfully subscribed to Pornhub.com,” or “You have been successfully subscribed to Redtube.com,” two very popular adult video portals.

Minutes later, victims received another email made to look like it was coming from the same two services. These second emails contained explicit subject lines.

Because spear-phishing emails were aimed at work emails, most victims would have been inclined to unsubscribe from the incoming emails. This was the catch, as attackers doctored the unsubscribe link, leading victims to a fake Google login screen.

Attackers used different tactics as the campaign progressed

The PornHub and RedTube phishes were not the only ones. Attackers also used other tactics.

In one case, one of the targeted activists received a request from a user asking for a link to buy her music. When the target replied, the attacker answered back with a Gmail phishing link, claiming the buy link didn’t work.

EFF experts say that victims who had two-factor authentication turned on for their accounts would have prevented attackers from logging into their profiles even if they had managed to obtain their password.

For researchers, indicators of compromise (IOCs) are available in EFF’s report, here.