Attackers who use phishing scams to target human rights defenders in the Middle East and North Africa (MENA) are developing increasingly sophisticated techniques to infiltrate their accounts and evade digital security tools, according to new research published by Amnesty Tech.
The organization highlighted three key tactics attackers are employing to ensnare people who take extra steps to secure their accounts online. These include asking users to reset the password on their Google accounts; tricking them into authorizing apps which purport to “secure” their Outlook accounts; and abusing legitimate authentication process apps to infiltrate accounts.
“Human rights defenders across MENA need to be on high alert. Even as they get better at using digital tools to secure their accounts, attackers are developing sophisticated new ways to get past these tools,” said Claudio Guarnieri, Senior Technologist, Amnesty Tech.
Human rights defenders across MENA need to be on high alert. Even as they get better at using digital tools to secure their accounts, attackers are developing sophisticated new ways to get past these toolsClaudio Guarnieri, Senior Technologist, Amnesty Tech
“Phishing scams can have disastrous consequences for human rights defenders and journalists in the MENA region. The stakes are very high – many activists risk arbitrary arrest, detention, or torture and other ill-treatment if their online accounts are compromised.”
Amnesty Tech has published a full briefing detailing the new wave of attacks, including screenshots and detailed guidelines on what to look out for.
In July 2019, several human rights defenders in the MENA region shared with Amnesty International new malicious emails they had received. They revealed a renewed campaign of targeted phishing which Amnesty believes to be orchestrated by the same attackers or by a closely related group to that documented by Amnesty Tech in December 2018. The sophisticated nature of these attacks means that even good defences against phishing such as two-factor authentication are not enough to fully protect human rights defenders.