www.eff.org
Open in
urlscan Pro
2a04:4e42:400::201
Public Scan
Submitted URL: http://electronicfrontierfoundation.org/
Effective URL: https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff
Submission: On May 30 via api from BY — Scanned from FR
Effective URL: https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff
Submission: On May 30 via api from BY — Scanned from FR
Form analysis 4 forms found in the DOM
POST /search/site
<form class="search-block-form search-site" action="/search/site" method="post" id="search-block-form" accept-charset="UTF-8">
<div>
<div class="container-inline">
<h2 class="element-invisible">Search form</h2>
<div class="form-item form-type-textfield form-item-search-block-form">
<label class="element-invisible" for="edit-search-block-form--2">Search </label>
<input autocomplete="off" type="text" id="edit-search-block-form--2" name="search_block_form" value="" maxlength="128" class="form-text">
</div>
<div class="form-actions form-wrapper" id="edit-actions"><button aria-label="search" type="submit" name="op"></button></div><input type="hidden" name="form_build_id" value="form-YtXjmN_Z0Vm176BZUms2Ey3QPpxZcBvqAftERxAMBSA">
<input type="hidden" name="form_id" value="search_block_form">
</div>
</div>
</form>POST /search/site
<form class="search-block-form search-site" action="/search/site" method="post" id="search-block-form" accept-charset="UTF-8">
<div>
<div class="container-inline">
<h2 class="element-invisible">Search form</h2>
<div class="form-item form-type-textfield form-item-search-block-form">
<label class="element-invisible" for="edit-search-block-form--2">Search </label>
<input autocomplete="off" type="text" id="edit-search-block-form--2" name="search_block_form" value="" maxlength="128" class="form-text" tabindex="-1">
</div>
<div class="form-actions form-wrapper" id="edit-actions"><button aria-label="search" type="submit" name="op"></button></div><input type="hidden" name="form_build_id" value="form-YtXjmN_Z0Vm176BZUms2Ey3QPpxZcBvqAftERxAMBSA">
<input type="hidden" name="form_id" value="search_block_form">
</div>
</div>
</form>POST https://supporters.eff.org/subscribe
<form action="https://supporters.eff.org/subscribe" method="post" class="newsletter-form" accept-charset="UTF-8">
<h3 class="effector-title">Discover more.</h3>
<div class="effector-desc"> Email updates on news, actions, events in your area, and more.</div>
<div class="form-item form-type-textfield effector-form-item-email-address">
<label for="edit-email" style="display:none">Email Address</label>
<input placeholder="Email Address" type="email" name="email" value="" maxlength="128" class="form-text">
</div>
<div class="form-item form-type-textfield effector-form-item-postal-code">
<label for="edit-postal-code" style="display:none">Postal Code (optional) </label>
<input placeholder="Postal Code (optional)" type="text" name="postal_code" value="" maxlength="64" class="form-text">
</div>
<div class="form-item form-type-textfield effector-form-item-challenge">
<label for="edit-challenge" style="clear: left; text-transform: none">Anti-spam question: Enter the three-letter abbreviation for <em>Electronic Frontier Foundation</em>:</label>
<input type="text" name="challenge" value="" maxlength="3" size="6" class="form-text">
</div>
<div class="link-textfield">
<div class="form-item form-type-urlfield form-item-link">
<label for="edit-link">Don't fill out this field (required)</label>
<input autocomplete="off" type="url" id="edit-link" name="link" value="" size="20" maxlength="128" class="form-text form-url">
</div>
</div>
<input type="submit" name="op" value="Submit" class="effector-form-submit">
<input type="hidden" name="form_id" value="eff_supporters_library_subscribe_form">
<div class="thank-you"> Thanks, you're awesome! Please check your email for a confirmation link. </div>
<div class="error-message"></div>
<div class="broken-message"> Oops something is broken right now, please try again later. </div>
</form>POST https://supporters.eff.org/subscribe
<form action="https://supporters.eff.org/subscribe" method="post" class="newsletter-form" accept-charset="UTF-8">
<h3 class="effector-title">Discover more.</h3>
<div class="effector-desc">Email updates on news, actions, events in your area, and more.</div>
<div class="form-item form-type-textfield effector-form-item-email-address">
<label for="edit-email" style="display:none">Email Address</label>
<input placeholder="Email Address" type="email" name="email" value="" maxlength="128" class="form-text">
</div>
<div class="form-item form-type-textfield effector-form-item-postal-code">
<label for="edit-postal-code" style="display:none">Postal Code (optional) </label>
<input placeholder="Postal Code (optional)" type="text" name="postal_code" value="" maxlength="64" class="form-text">
</div>
<div class="form-item form-type-textfield effector-form-item-challenge">
<label for="edit-challenge" style="clear: left; text-transform: none">Anti-spam question: Enter the three-letter abbreviation for <em>Electronic Frontier Foundation</em>:</label>
<input type="text" name="challenge" value="" maxlength="3" size="6" class="form-text">
</div>
<div class="link-textfield">
<div class="form-item form-type-urlfield form-item-link">
<label for="edit-link">Don't fill out this field (required)</label>
<input autocomplete="off" type="url" id="edit-link" name="link" value="" size="20" maxlength="128" class="form-text form-url">
</div>
</div>
<input type="submit" name="op" value="Submit" class="effector-form-submit">
<input type="hidden" name="form_id" value="eff_supporters_library_subscribe_form">
<div class="thank-you"> Thanks, you're awesome! Please check your email for a confirmation link. </div>
<div class="error-message"></div>
<div class="broken-message"> Oops something is broken right now, please try again later. </div>
</form>Text Content
Skip to main content
* About
* Contact
* Press
* People
* Opportunities
* Issues
* Free Speech
* Privacy
* Creativity and Innovation
* Transparency
* International
* Security
* Our Work
* Deeplinks Blog
* Press Releases
* Events
* Legal Cases
* Whitepapers
* Podcast
* Annual Reports
* Take Action
* Action Center
* Electronic Frontier Alliance
* Volunteer
* Tools
* Privacy Badger
* Surveillance Self-Defense
* Certbot
* Atlas of Surveillance
* Cover Your Tracks
* Crocodile Hunter
* Street Level Surveillance
* apkeep
* Donate
* Donate to EFF
* Giving Societies
* Shop
* Other Ways to Give
* Membership FAQ
* Donate
* Donate to EFF
* Shop
* Other Ways to Give
* SEARCH FORM
Search
--------------------------------------------------------------------------------
Email updates on news, actions,
and events in your area.
Join EFF Lists
* Copyright (CC BY)
* Trademark
* Privacy Policy
* Thanks
Electronic Frontier Foundation
Donate
Podcast Episode: Chronicling Online Communities
Electronic Frontier Foundation
* About
* Contact
* Press
* People
* Opportunities
* Issues
* Free Speech
* Privacy
* Creativity and Innovation
* Transparency
* International
* Security
* Our Work
* Deeplinks Blog
* Press Releases
* Events
* Legal Cases
* Whitepapers
* Podcast
* Annual Reports
* Take Action
* Action Center
* Electronic Frontier Alliance
* Volunteer
* Tools
* Privacy Badger
* Surveillance Self-Defense
* Certbot
* Atlas of Surveillance
* Cover Your Tracks
* Crocodile Hunter
* Street Level Surveillance
* apkeep
* Donate
* Donate to EFF
* Giving Societies
* Shop
* Other Ways to Give
* Membership FAQ
* Donate
* Donate to EFF
* Shop
* Other Ways to Give
* SEARCH FORM
Search
NEW SPEAR PHISHING CAMPAIGN PRETENDS TO BE EFF
DEEPLINKS BLOG
By Cooper Quintin
August 27, 2015
NEW SPEAR PHISHING CAMPAIGN PRETENDS TO BE EFF
Share It Share on Twitter Share on Facebook Copy link
> Update 01/28/16: EFF now controls the Electronicfrontierfoundation.org domain
> and that URL currently redirects to this blog post. If you arrived at this
> page via a link in a message that may have been phishing, please let us know
> and we will investigate.
Google's security team recently identified a new domain masquerading as an
official EFF site as part of a targeted malware campaign. That domain,
electronicfrontierfoundation.org, is designed to trick users into a false sense
of trust and it appears to have been used in a spear phishing attack, though it
is unclear who the intended targets were. The domain was registered on August 4,
2015, under a presumably false name, and we suspect that the attack started on
the same day. At the time of this writing the domain is still serving malware.
Electronicfrontierfoundation.org was not the only domain involved in this
attack. It seems to be part of a larger campaign, known as “Pawn Storm”. The
current phase of the Pawn Storm attack campaign started a little over a month
ago, and the overall campaign was first identified in an October 2014 report
from Trend Micro (PDF). The group behind the attacks is possibly associated with
the Russian government and has been active since at least 2007.
The attack is relatively sophisticated—it uses a recently discovered Java
exploit, the first known Java zero-day in two years. The attacker sends the
target a spear phishing email containing a link to a unique URL on the malicious
domain (in this case electronicfrontierfoundation.org). When visited, the URL
will redirect the user to another unique URL in the form of
http://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class
containing a Java applet which exploits a vulnerable version of Java. Once the
URL is used and the Java payload is received, the URL is disabled and will no
longer deliver malware (presumably to make life harder for malware analysts).
The attacker, now able to run any code on the user's machine due to the Java
exploit, downloads a second payload, which is a binary program to be executed on
the target's computer.
We were able to recover the following samples of the malicious Java code from
electronicfrontierfoundation.org.
Filename MD5 Sum SHA1 Sum App.class 0c345969a5974e8b1ec6a5e23b2cf777
95dc765700f5af406883d07f165011d2ff8dd0fb Go.class
25833224c2cb8050b90786d45f29160c df5f038d78f5934bd79d235b4d257bba33e6b3
The decompiled Java for App.class
The decompiled Java for App.class
The Go.class applet bootstraps and executes App.class, which contains the actual
attack code. The App.class payload exploits the same Java zero-day reported by
Trend Micro and then downloads a second stage binary, internally called
cormac.mcr, to the user's home directory and renames it to a randomly chosen
string ending in `.exe`. Interestingly, App.class contains code to download a
*nix compatible second stage binary if necessary, implying that this attack is
able to potentially target Mac or Linux users.
Unfortunately we weren't able to retrieve the second stage binary, however this
is the same path and filename that has been used in other Pawn Storm attacks,
which suggests that it is likely to be the same payload: the malware known as
Sednit. On Windows, the Sednit payload is downloaded to the logged-in user's
home directory with a randomly generated filename and executed. On running it
hooks a variety of services and downloads a DLL file. The DLL file is executed
and connects to a command and control server where it appears to verify the
target and then execute a keylogger or other modules as may be required by the
attacker.
Because this attack used the same path names, Java payloads, and Java exploit
that have been used in other attacks associated with Pawn Storm, we can conclude
that this attack is almost certainly being carried out by the same group
responsible for the rest of the Pawn Storm attacks. Other security researchers
have linked the Pawn Storm campaign with the original Sednit and Sofacy targeted
malware campaigns–also known as “APT 28”–citing the fact that they use the same
custom malware and have similar targets. In a 2014 paper the security company
FireEye linked the “APT 28” group behind Sednit/Sofacy with the Russian
Government (PDF) based on technical evidence, technical sophistication, and
targets chosen. Drawing from these conclusions, it seems likely that the
organization behind the fake-EFF phishing attack also has ties to the Russian
government. Past attacks have targeted Russian dissidents and journalists, U.S.
Defense Contractors, NATO forces, and White House staff. We do not know who the
targets were for this particular attack, but it does not appear that it was EFF
staff.
The phishing domain has been reported for abuse–though it is still active, and
the vulnerability in Java has been patched by Oracle. Of course this is an
excellent reminder for everyone to be vigilant against phishing attacks. Our SSD
guide contains advice on how to improve your security, watch for malicious
emails, and avoid phishing attacks such as this one.
RELATED ISSUES
Security
State-Sponsored Malware
RELATED CASES
Kidane v. Ethiopia
Share It Share on Twitter Share on Facebook Copy link
JOIN EFF LISTS
DISCOVER MORE.
Email updates on news, actions, events in your area, and more.
Email Address
Postal Code (optional)
Anti-spam question: Enter the three-letter abbreviation for Electronic Frontier
Foundation:
Don't fill out this field (required)
Thanks, you're awesome! Please check your email for a confirmation link.
Oops something is broken right now, please try again later.
RELATED UPDATES
Deeplinks Blog by Karen Gullo | April 1, 2024
OLA BINI FACES ECUADORIAN PROSECUTORS SEEKING TO OVERTURN ACQUITTAL OF
CYBERCRIME CHARGE
Ola Bini, the software developer acquitted last year of cybercrime charges in a
unanimous verdict in Ecuador, was back in court last week in Quito as
prosecutors, using the same evidence that helped clear him, asked an appeals
court to overturn the decision with bogus allegations of unauthorized access...
Deeplinks Blog by Paige Collings | March 8, 2024
FOUR VOICES YOU SHOULD HEAR THIS INTERNATIONAL WOMEN’S DAY
Around the globe, freedom of expression varies wildly in definition, scope, and
level of access. The impact of the digital age on perceptions and censorship of
speech has been felt across the political spectrum on a worldwide scale. In the
debate over what counts as free expression and how it...
Deeplinks Blog by Paige Collings, Thorin Klosowski | March 8, 2024
FOUR INFOSEC TOOLS FOR RESISTANCE THIS INTERNATIONAL WOMEN’S DAY
While online violence is alarmingly common globally, women are often more likely
to be the target of mass online attacks, nonconsensual leaks of sensitive
information and content, and other forms of online violence. This International
Women’s Day, visit EFF’s Surveillance Self-Defense (SSD) to learn how to defend
yourself and...
Deeplinks Blog by Karen Gullo | February 7, 2024
PROTECT GOOD FAITH SECURITY RESEARCH GLOBALLY IN PROPOSED UN CYBERCRIME TREATY
Statement submitted to the UN Ad Hoc Committee Secretariat by the Electronic
Frontier Foundation, accredited under operative paragraph No. 9 of UN General
Assembly Resolution 75/282, on behalf of 124 signatories. We, the undersigned,
representing a broad spectrum of the global security research community, write
to express our serious concerns...
Deeplinks Blog by Karen Gullo | February 7, 2024
DRAFT UN CYBERCRIME TREATY COULD MAKE SECURITY RESEARCH A CRIME, LEADING 124
EXPERTS TO CALL ON UN DELEGATES TO FIX FLAWED PROVISIONS THAT WEAKEN EVERYONE’S
SECURITY
Security researchers’ work discovering and reporting vulnerabilities in
software, firmware, networks, and devices protects people, businesses and
governments around the world from malware, theft of critical data, and other
cyberattacks. The internet and the digital ecosystem are safer because of their
work.The UN Cybercrime Treaty,...
Deeplinks Blog by Cooper Quintin | January 31, 2024
WORRIED ABOUT AI VOICE CLONE SCAMS? CREATE A FAMILY PASSWORD
Your grandfather receives a call late at night from a person pretending to be
you. The caller says that you are in jail or have been kidnapped and that they
need money urgently to get you out of trouble. Perhaps they then bring on a fake
police officer or kidnapper...
Deeplinks Blog by Karen Gullo | January 29, 2024
IN FINAL TALKS ON PROPOSED UN CYBERCRIME TREATY, EFF CALLS ON DELEGATES TO
INCORPORATE PROTECTIONS AGAINST SPYING AND RESTRICT OVERCRIMINALIZATION OR
REJECT CONVENTION
Update: Delegates at the concluding negotiating session failed to reach
consensus on human rights protections, government surveillance, and other key
issues. The session was suspended Feb. 8 without a final draft text. Delegates
will resume talks at a later day with a view to concluding their work and
providing a...
Deeplinks Blog by Paige Collings | January 19, 2024
EFF’S 2024 IN/OUT LIST
Since EFF was formed in 1990, we’ve been working hard to protect digital rights
for all. And as each year passes, we’ve come to understand the challenges and
opportunities a little better, as well as what we’re not willing to accept.
Accordingly, here’s what we’d like to see a lot...
Deeplinks Blog by Bill Budington, Alexis Hancock | December 23, 2023
SKETCHY AND DANGEROUS ANDROID CHILDREN’S TABLETS AND TV SET-TOP BOXES: 2023 IN
REVIEW
In a series of investigations this year, EFF researchers confirmed the existence
of dangerous malware on set-top boxes manufactured by AllWinner and RockChip,
and discovered sketchyware on a tablet marketed for kids from the manufacturer
Dragon Touch.
Deeplinks Blog by Ross Schulman | December 13, 2023
SPRITELY AND VEILID: EXCITING PROJECTS BUILDING THE PEER-TO-PEER WEB
While there is a surge in federated social media sites, like Bluesky and
Mastodon, some technologists are hoping to take things further than this model
of decentralization with fully peer-to-peer applications. Two leading projects,
Spritely and Veilid, hint at what this could look like.There are many
technologies used behind the...
DISCOVER MORE.
Email updates on news, actions, events in your area, and more.
Email Address
Postal Code (optional)
Anti-spam question: Enter the three-letter abbreviation for Electronic Frontier
Foundation:
Don't fill out this field (required)
Thanks, you're awesome! Please check your email for a confirmation link.
Oops something is broken right now, please try again later.
Share It Share on Twitter Share on Facebook Copy link
RELATED ISSUES
Security
State-Sponsored Malware
RELATED CASES
Kidane v. Ethiopia
Back to top
FOLLOW EFF:
* x
* facebook
* instagram
* youtube
* flicker
* linkedin
* mastodon
* tiktok
* threads
Check out our 4-star rating on Charity Navigator.
CONTACT
* General
* Legal
* Security
* Membership
* Press
ABOUT
* Calendar
* Volunteer
* Victories
* History
* Internships
* Jobs
* Staff
* Diversity & Inclusion
ISSUES
* Free Speech
* Privacy
* Creativity & Innovation
* Transparency
* International
* Security
UPDATES
* Blog
* Press Releases
* Events
* Legal Cases
* Whitepapers
* EFFector Newsletter
PRESS
* Press Contact
DONATE
* Join or Renew Membership Online
* One-Time Donation Online
* Giving Societies
* Shop
* Other Ways to Give
* Copyright (CC BY)
* Trademark
* Privacy Policy
* Thanks
JavaScript license information