US Department of Homeland Security Issues Cyber Security Directive Creating New Rules, Procedures & Responses Governing Future Cyber Attacks Targeting US Federal Infrastructure

Yesterday, April 29th 2019, the US Department of Homeland Security released the contents of a new Federal Directive entitled the “Vulnerability Remediation Requirements for Internet Accessible SystemsA binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.In it, the DHS warns all Federal agencies that they have 72 hours to diagnose the problem, and 15-30 days to patch or secure any vulnerabilities exposed in their systems/servers resulting from a cyber attack. The directive is meant to expedite cyber solutions of the future, by drastically consolidating the timeline in which it takes experts to respond and implement cyber solutions.

Most noteably contained in yesterday release was a mandate that all US Federal agencies due more to sure up their DNS systems and records, following a massive cyber security breach during the US Government shutdown of January 2019. You can read more about yesterdays release and these events via the resources provided below.

Learn More – January 2019 DNS Hijacking Campaign:

Web Version – DHS Directive fod-19-02:

Download Copy of Directive:

Browse Directive:

[pdf-embedder url=””%5D

Egyptian Government Implicated In Massive Phishing Campaign Targeting Journalists, Political Activists & NGO’s Alike

(AI) – A new Amnesty International investigation has found a wave of digital attacks that likely originated from government-backed bodies starting from early January 2019 and involving multiple attempts to gain access to the email accounts of several prominent Egyptian human rights defenders, media and civil society organizations’ staff. The attacks appear to be part of a wider strategy, occurring amid an unprecedented crackdown on the same groups in what have turned Egypt into an “open-air” prison for critics. Because of the identities of the targets we have identified, the timing of these attacks, their apparent coordination and the notifications of state-sponsored attacks sent from Google, we conclude that these attacks were most likely carried out by, or on behalf of, the Egyptian authorities.

In recent years, the Egyptian authorities have been harassing civil society and undermining freedom of association and expression through an ongoing criminal investigation into NGOs and a repressive NGO law. The authorities have been investigating dozens of human rights defenders and NGO staff for “receiving foreign funding” Many of them could face prison if convicted. The investigative judges have also ordered a travel ban against at least 31 NGO staff, and asset freezes of 10 individuals and seven organizations. Meanwhile, the authorities have also closed El Nadeem Center for Rehabilitation of Victims of Violence and continue to detain human rights defenders Ezzat Ghoniemand Hisham Gaafar, directors of the Egyptian Coordination for Rights and Freedoms and Mada for media studies, respectively.

The list of individuals and organizations targeted in this campaign of phishing attacks has significant overlaps with those targeted in an older phishing attack wave, known as Nile Phish, disclosed in 2017 by the Citizen Lab and the Egyptian Initiative for Personal Rights (EIPR).

Translated English Version:

Full Nile Phish Report: 

[pdf-embedder url=””%5D

Amnesty International is deeply concerned that these phishing attacks represent yet another attempt by the authorities to stifle Egyptian civil society and calls on the Egyptian authorities to end these attacks on human rights defenders, and the crackdown on civil society, including by dropping the foreign funding case and repealing the NGO law.

A new year and a new wave of attacks

Since January 2019 several human rights defenders and civil society organizations from Egypt started forwarding dozens of suspicious emails to Amnesty International. Through the course of our investigation we discovered that these emails were attempts to access the email accounts of their targets through a particularly insidious form of phishing known as “OAuth Phishing” (which we explain in detail below). We estimate the total number of targeted individuals to be in the order of several hundreds.

These coincided with a number of important events that took place in the country. In the run-up to the eighth anniversary of Egypt’s 25 January uprising, which ended with the removal of former president Hosni Mubarak, after 30 years in power, we recorded 11 phishing attacks against NGOs and media collectives. We saw another burst of attacks during French President Emmanuel Macron’s visit to Cairo to meet with President Abdel Fatah al-Sisi on 28 and 29 January. The attacks peaked on 29 January, the day that President Macron met with human rights defenders from four prominent Egyptian NGOs. Later, in the first week of February, several media organizations were targeted as part of this campaign of digital attacks; they were reporting on the process of amending the Egyptian Constitution that the parliament had just officially started.

The attacks all bear the same hallmarks and appear to be part of a coordinated campaign to spy on, harass and intimidate their targets. While definitive attribution is difficult, the selective targeting of human rights defenders from Egypt, particularly in concomitant with specific political events, suggests this current wave of digital attacks is politically, rather than financially, motivated.

Additionally, we learned that multiple targets of this campaign received an official warning from Google alerting that “government-backed attackers are trying to steal your password.

No photo description available.

Google warning to one of the targets – 19 January 2019

These elements reinforce the suspicion that a state-sponsored group might be behind this campaign, further contributing to the chilling effect on Egyptian civil society and silencing those who voice criticism of the government.

What an OAuth phishing attack looks like: Step by step

Traditional phishing attacks attempt to deceive the targets into providing their passwords by creating a fake clone of, for example, Google’s or Facebook’s login page. If the target is successfully lured into entering their password, the attacker then “steals” their credentials and can reuse these to access their email account. Typically, this kind of phishing attack can be prevented through the use of two-step verification procedures such as those provided by most mainstream platforms these days, or by authenticator apps, or even better, security keys.

However, in this phishing campaign we have documented in Egypt, the attackers instead leverage a simple but less known technique generally called “OAuth Phishing.” Rather than cloning a legitimate login prompt that aims to trick targets into entering their password on a dubious-looking site, OAuth Phishing abuses a legitimate feature of many online service providers, including Google, that allows third-party applications to gain direct access to an account. For example, a legitimate external calendar application might request access to a user’s email account in order to automatically identify and add upcoming events or flight reservations.

With OAuth Phishing, attackers craft malicious third-party applications that are disguised not to raise suspicion with the victims. (More information on this functionality is available on Google Support in English or Arabic). Here we provide a step by step look at the ways in which these attacks work, and we follow on below with some concrete ways that people can better protect themselves from these kinds of attacks.

Step 1

We identified a few variants of the phishing emails received by the human rights defenders who shared these with Amnesty International. In the most common case pictured below, the email imitates a security warning from Google and solicits the target to apply a “Secure Email” security update to their Google account.

Screen Shot Example of Phishing Email Used In Attack:

No photo description available.

Step 2

Clicking the “Update my security now” button directs to a page that initiates the OAuth authorization process of the malicious third-party application named by the attackers as “Secure Mail.

Step 3

At this point the target is requested to log into Google or choose an existing logged in account.

Screenshot of Google’s login prompt requesting authorization to the malicious app:

No photo description available.

Step 4

Now the target is asked to explicitly authorize the malicious “Secure Email” third-party application to be granted access to their email account. While this authorization prompt does contain a warning from Google, it may be overlooked as the user has been directed from what appeared to be a legitimate email from Google.

Screenshot of confirmation to authorize the malicious app on victim’s account:

No photo description available.

Step 5

Once the “Allow” button is clicked, the malicious “Secure Email” application is granted access to the target’s email account. The attackers are immediately able to read the email’s content, and the victims are directed to the real Google account settings page, which further reduces any suspicion on the part of the target that they have been victim of a fraudulent attack.

In addition to Google, we observed that the same attackers make use of similar tactics against Yahoo, Outlook and Hotmail users.

Defending Against OAuth Phishing

OAuth Phishing can be tricky to identify. Often, security education for individuals at risk does not include mentions of this particular technique. People are usually trained to respond to phishing by looking for suspicious domains in the browser’s address bar and by enabling two-factor verification. While those are very useful and important safety practices to adopt, they would not help with OAuth Phishing because victims are in fact authenticating directly through the legitimate site.

If you are an activist, human rights defender, journalist, or anyone else concerned about being targeted by these kinds of attacks, it is important to be alert whenever you are requested to authorize a third-party application on your accounts.

Occasionally it is a good exercise to review your account’s security settings and check for authorized external applications. In the case of this campaign, the malicious Secure Email application will appear authorized as pictured below.

No photo description available.

Screenshot of the malicious third-party applications used by the attackers as it appears in the Google account settings page

You might also want to consider revoking access to any other authorized application that you do not recognize or that you might have stopped using.

Google also offers an Advanced Protection Program that in addition to enforcing the authentication with a security key, disables third-party applications on your account. Beware that enabling this configuration introduces some limitations, so make sure it fits your particular requirements before enrolling.

Here you can find instructions on how to check for authorized third-party applications on your Yahoo account instead.

Get in touch

If you received any suspicious email like those we described in this report, or other forms of suspected targeted attack, you can contact us at


Indicators of Compromise and attacks Infrastructure available here.

Following are screenshots of other phishing emails used in this same campaign:

No photo description available.

No photo description available.

No photo description available.

This report was originally published by Amnesty International on March 5th 2019. It was republished, with permission, under a Creative Commons BY-NC-ND 4.0 International License, in accordance with the Terms & Conditions of Amnesty International | Formatting Edits and PDF added and embedded by Rogue Media Labs

Op-Ed: Understanding How The Future of Cyber & Data Security Is Directly Tied To History’s Strongest Banking Sectors

I haven’t really spoken much publicly about it yet, but outside of building my websites and publishing new material online, over the course of the last several weeks and months I’ve also begun the process of putting together different proposals in an attempt to launch my own cyber security business. More specifically, I’m interested in starting a data hosting/data security service with the possibility of launching a world class VPN service along side of it.

Knowing full well that this is a venture I can not successfully achieve here in the United States, I’ve begun approaching various international banking institutions and Government agencies worldwide to get a feel for how likely they’d be to stake and/or sponsor me with a business loan, as well as to gauge how different countries or Government agencies would react to my proposed businesses plan – which would essentially lock out all Government requests for data/information on all of my customers, something I’d also be unwilling to compromise on. This is also why I say that I could never operate my business in an ideal way inside the United States, because given this countries laws and current administration, it’s literally impossible to block to the US Government from seizing any/all corporate data hosted inside US borders or out if they really want it – just ask Microsoft or LavaBit about that.

To date, I have either sat down with or submitted proposals to representatives at Toronto-Dominion Bank here in New York City, the Bank of The Bahamas in Nassau, CBH Bahamas and Ministry of Foreign Affairs in Colombia. During my presentations I have essentially explained to each of them the same concept, which is the fact that one of the newest trends inside the cyber/data security industry is a switch over to countries with historically strong banking industries, because these countries actively host the most stringent business confidentiality and data privacy laws – something growing ever more precious for international cyber security companies, especially headed into the future.

Learn More – Country of Origin & How It Relates To Data Security Choices or Decisions:

In my presentations, I’ve explained to them how it’s my intention to start a new business model capitalizing on data confidentiality laws in countries such as the Bahamas, by hosting data servers outside the reach or jurisdiction of invasive Government agencies – which are perhaps THE single largest threat to data security in the world today, right Russia? Think of the conception of my business in the same context as starting a new bank, only instead of securely holding money for customers I would be locking up and securing/guaranteeing data files. This is also a unique business model or selling point that no one on Earth is currently offering, which is why I believe I can be successful at it. For the purposes of this article, I will keep the methodology through which I intend to secure my customers data confidential.

As an example, here is a sample of an exchange between me and a representative of Toronto-Dominion Bank in New York City dated December 10th 2018:

Image may contain: text

And here is another sample of an exchange between me and representatives at the Bank of the Bahamas earlier that same day on December 10th 2018:

No photo description available.

And lastly, here is a sample of an inquire filed with Colombia’s Ministry of Foreign Affairs on January 26th 2019:

No photo description available.

Needless to say however, despite however interested and/or fascinated they were by my proposals, no one has ever actually offered me a loan – and presumably never will. What’s interesting though is that I distinctly remember telling TD Bank in a sit down interview that I was afraid to put together a full research report for them, fearing that someone would think my business was a great idea, but would just reject my loan and use the information for themselves to advance their own agendas. As fate would have it, this also appears to be exactly what has happened – welcome to America.

Imagine my surprise this morning when I wake up and read a ‘new report‘ originally published by an Israeli based security firm known as Radware on February 7th 2019, entitled “What Do Banks and Cybersecurity Have In Common? Everything.” In it, researchers loosely explain how cyber security companies of the future need to begin thinking of their their brands, business and product much in the same way as banks do, employing the same safe guards to protect data as banks do to protect money. Essentially, their report is just a “bastardized” version of everything I had been presenting/proposing to international banks for month/weeks beforehand.

In other news, sure would like to see #OpIcarus keep rolling along……….. 😉

Survey: Despite Buying Smart Devices, 80% of Customers Claim Not To Trust Any Internet Connected Devices

Earlier this week, funded by BlackBerry, researchers working at Atomic Research released the result of a new study designed to gauge the public’s level of trust in the devices they purchase, as well as what their levels of expectation were for the regulation of data security and privacy as it relates to the internet connected devices or products they buy. Conducted throughout the early half of December 2018, researchers interviewed approximately 4,100 individuals across three countries – the United States, United Kingdom and Canada – revealing that:

  • 80% say they do not trust their current internet connected smart devices to secure their data or privacy
  • 84% said they would be more likely to buy a product based on their historic reputations for protecting data/privacy
  • 82% of respondents said they would embrace the adoption of a set of industry standards regulating the data privacy industry, requiring devices to be certified before being released to the public
  • 25% of respondents stated that they trusted their own in car AI from Google more than any other, followed by Siri (19%) and Alexa (16%)
  • 67% of respondents stated they would pay more for a car if they knew it offered more secure software than a competitor
  • 58% said they would pay more for Internet of Thing (IoT) devices if they offered built in security
  • On average, 20% of respondents said they would pay up to 10% more for any product for the piece of mind knowing it was more secure
  • 36% of respondents claim to have no knowledge whatsoever of any industry standards or security certifications when it comes to data security

Results from study:

Browse Through The Release:

[pdf-embedder url=””%5D

Op-Ed: The Corporate World Is So Afraid of Hacking They Make Themselves Even Less Secure

The news has been a little slow this Holiday season, so I am going to take the opportunity to go on a mini rant of sorts, explaining just how clueless business executives and “professionals” can be when it comes to their online or data security. I got motivated to write this after reading an article by Information Security Magazine, discussing how passwordless authentication is going to become the next “Big Thing” of the future.

However, that article was nothing more than a literal :facepalm: for me to read because I know it is exponentially harder to crack passwords than it is pins – which passwordless authentication relies on. Put another way,  it is much easier to run Brute Force attacks against a series of numbers, such as those contained within a pin, than it is a series of numbers, letters and symbols – such as are included in passwords. Why anyone working specifically in the field of Information Security would then write an article advocating for passwordless authentication as a good thing for the industry is completely beyond my understanding.

With that established, here’s a look at a few other examples which also have me shaking my head in disbelief.


The other week I featured an article discussing two emerging businesses, Starlink internet service and Space Belt data storage. In fact, executives at Space Belt were so impressed with my coverage that they sent me an email explaining that the company had just raised another $100 million dollars, asking me to write a press release about it in the future.

While I told their Chief Commercial Officer I would be happy to cover an update for them, I also used the opportunity to point out some serious flaws in their websites security. For example, the site does not even have an active Secured Socket Layer (SSL) certificate – something which costs, on average, between $3-$20 to install. I explained to him that without an SSL certificate, any hacker or interested 3rd party could intercept/steal the information that visitors input on – it also puts their site at advanced risk of DDoS attack. I explained to them how it is not a good look for a company trying to literally sell itself as world-class security specialists to have the words “Not Secure” featured on the front page of their website – the first thing any customers/visitors sees upon accessing their website. For example, I also have an online business website, and I wouldn’t be caught dead trying to sell security with an unsecured website – get it?

Well, apparently Space Belt executives didn’t like my email or constructive criticism very much, because not only did they not thank me for bringing this to their attention, but they have now ceased replying to all my emails and still haven’t even fixed the security issue. Below is a screen shot of the very problem I am talking about.

Image may contain: text

Askar Refugee Camp

It is a generally known fact that the international cyber espionage/hacking capital of the world is Israel, whom has been granted immunity for this sort of activity over the decades. Not only this, but last month I featured a report explaining how 22% of Palestinian women have gave up and stopped using the internet entirely, after regularly coming under cyber attack and facing sexual harassment online. Not only this, but I personally got a hacking group know as “PinkiHacks” banned off Twitter entirely after they announced something known as #OpIslam and #OpGaza, an online hacking campaign designated at attacking Arabic educational institutions and anyone living in the disputed territories around Israel.

It should go without saying, but perhaps no one in the world is more vulnerable in 2018/2019 than Palestinians, both online and off. For this very reason I reached out to Amjad Rfaie, Director of Askar Refugee Camp, offering to install online security for his website and host his email servers privately. In fact, I was even willing to volunteer to pay money out of my pocket just to do this. However, for reasons unknown, perhaps because I am an America, he has declined.

I was afraid for him because he runs a completely unsecured website lacking even the basic security measures, and runs all camp emails through an outdated Yahoo email account. For those of you unaware, literally every Yahoo account which has ever been created has already been hacked, and Yahoo remains perhaps the most insecure email hosting platform in the world. Given the tensions in the region and the important role he serves in his community, I feared that Amjad could one day soon become an easy target for Israel hackers – if he hasn’t been compromised already. Once again however, he seems utterly disinterested in allowing me to help him and for reasons I simply do not understand, doesn’t even respond to my emails or texts anymore.

New York City Public Library

Here’s another interesting experience I’ve had while trying to launch my online security startup, this time involving the New York City Public Library (NYPL) system. One day I noticed all the free/public classes the library offers, and given my knowledge in the field of cyber security and the tutorials I have already prepared, figured it would be a good opportunity to share my knowledge with the world and get my name out there. However, shortly after handing in my application to the front desk I could hear people talking in back about how “we have to sabotage this application.” Explaining how they couldn’t let me work/teach there because the week beforehand I had used the library’s printer to print out a Visa application to Russia. To this day I have not heard one word back from the library and suspectedly, they just threw out my application the moment I handed it in.

Not only this, but one day I also reported a bug effecting their laptops. For example, the NYPL claims that every time a session expires all the data from the previous user gets automatically deleted so it can not be read by the next user, something which I found to be untrue. Not only did I personally find multiple resumes left on the computer from previous users, but I also tested the system myself. To do this I purposely left my resume open in a Word document and let the session expire. I then went to the library front desk and told them to open the lap top with a new account where, surprise, you could find my open resume right there on screen – a serious data security bug built into their systems. Only instead of thanking me for pointing this out to them, the person behind the desk grabbed the laptop out of my hands and threatened to “tear up” my library card. While their supervisor over ruled them, it just serves as yet another reminder how belligerent people get when you try to teach them something about security, even when you are trying to help.

Every Job I Have Ever Applied for

There is also a reason I am attempting to create my own news and security company, because my work in these fields has made me completely and utterly unemployable for the better part of the last 4 years. Rogue Media Labs is my 5th website, after closing my previous 4 domains. Despite small changes here and there, over this time I have always covered hacking events and cyber security developments, much as I do today. However, despite my unique skills and knowledge, everyone seems to be scared off by what or how much I know.

Look no further than the “Hacking News” section of this very website, which seems to scare the living daylights out of everyone for some reason. I say this because over the course of the last +3 years I have applied for well over 300 positions around the country/world, and have only received 2 call backs over this time, with one interview and 0 hires. As a result, I currently live and work out of a homeless shelter, where I have lived for the better part of the last 9 months – with no one in the world willing to allow me to work or even volunteer for them. I literally cant even pay money out of my own pocket to help secure someone – just ask Amjad about that. Because of the very news I write about, literally no one in the world wants anything to do with me.

My Side of The Story

I’ve tried explaining to people that there is a reason why can interview hackers, intellectually cover data breaches and publish leaks without the same hacks or hackers effecting me, because we both know how hard I am to hack. Some of the worlds most powerful hackers have personally demonstrated to me how it is easier to take down ProtonMail than it is my own website. I keep trying to tell people that if you hired me in the first place, your website wouldn’t have been hacked and your data would still be safe. There is a reason I am trying to start an online security company, because I know what I am doing – even if you don’t.

Still though, people just see me reporting about hacking and think I must be the most underground secret criminal in the world, or that I can’t possibly be trusted to handle any sort of data – nevermind do legitimate business with. It is almost as if employers or executives give no thought whatsoever to the fact that in order to learn how hacks are pulled off and how to mitigate them, you have to study hacking. It doesn’t occur to anyone that you can only learn how to prevent hacks by learning how others are being exploited. The only way I’ve ever learned anything about securing myself was by getting targeted by world class hackers and cyber attacks, experience which can not be taught or replaced. There is a reason no one can hack my website today, because Ive put in the dirty work and research to learn trade secrets. Still though, it doesn’t seem to matter.

But then again, maybe I should be thankful? With the corporate worlds refusal to learn how to secure themselves, I should have no shortage of hacks and leaks to continue writing/reporting about in the future. So, don’t tell me there isn’t a silver lining to every story.

Amnesty Investigation – State Sponsored Hackers Launching Massive Hacking Operations Across Middle East & North Africa



  • We have identified several campaigns of credentials phishing, likely operated by the same attackers, targeting hundreds of individuals spread across the Middle East and North Africa.
  • In one campaign, the attackers were particularly going after accounts on popular self-described “secure email” services, such as Tutanota and ProtonMail.
  • In another campaign, the attackers have been targeting hundreds of Google and Yahoo accounts, successfully bypassing common forms of two-factor authentication.


From the arsenal of tools and tactics used for targeted surveillance, phishing remains one of the most common and insidious form of attack affecting civil society around the world. More and more Human Rights Defenders (HRDs) have become aware of these threats. Many have taken steps to increase their resilience to such tactics. These often include using more secure, privacy-respecting email providers, or enabling two-factor authentication on their online accounts.

However, attackers too learn and adapt in how they target HRDs. This report documents two phishing campaigns that Amnesty International believes are being carried out by the same attacker (or attackers) likely originating from amongst the Gulf countries. These broad campaigns have targeted hundreds, if not a thousand, HRDs, journalists, political actors and others in many countries throughout the Middle East and North Africa region.

What makes these campaigns especially troubling is the lengths to which they go to subvert the digital security strategies of their targets. The first campaign, for example, utilizes especially well-crafted fake websites meant to imitate well-known “secure email” providers. Even more worryingly, the second demonstrates how attackers can easily defeat some forms of two-factor authentication to steal credentials, and obtain and maintain access to victims’ accounts. As a matter of fact, Amnesty Tech’s continuous monitoring and investigations into campaigns of targeted surveillance against HRDs suggest that many attacker groups are developing this capability.

Taken together, these campaigns are a reminder that phishing is a pressing threat and that more awareness and clarity over appropriate countermeasures needs to be available to human rights defenders.

Phishing Sites Imitating “Secure Email” Providers

Amnesty International has identified several well-crafted phishing sites for the popular email services Tutanota and ProtonMail. The providers are marketed as “secure email” solutions and have consequently gained some traction among activists.

These sites contain several elements that make them especially difficult for targets to identify as fakes. For instance, the attackers managed to obtain the domain and used it to almost completely replicate the original website for the Tutanota service, which is actually located at

No automatic alt text available.

Many users rightfully expect that online services control the primary and .net domain variants of their brand. If an attacker manages to acquire one of these variants they have a rare opportunity to make the fake website appear significantly more realistic. These fake sites also use transport encryption (represented by the https:// prefix, as opposed to the classic, unencrypted, http://). This enables the well-recognized padlock on the left side of the browser’s address bar, which users have over the years been often taught to look for when attempting to discern between legitimate and malicious sites. These elements, together with an almost indistinguishable clone of the original website, made this a very credible phishing site that would be difficult to identify even for the more tech-savvy targets.

If a victim were tricked into performing a login to this phishing site, their credentials would be stored and a valid login procedure would be then initiated with the original Tutanota site, giving the target no indication that anything suspicious had occurred.

No automatic alt text available.

Because of how remarkably deceptive this phishing site was, we contacted Tutanota’s staff, informed them about the ongoing phishing attack, and they quickly proceeded to request the shutdown of the malicious infrastructure.

These same attackers were also operating a ProtonMail phishing website (another popular email service marketed as secure) located at, where the additional letter “e” is all that distinguishes this well-built replica from the original valid website

No automatic alt text available.

No automatic alt text available.

Widespread Phishing of Google and Yahoo Users

Throughout 2017 and 2018, human rights defenders and journalists from the Middle East and North Africa region have been sharing with us suspicious emails they have been receiving. Investigating these emails, we identified a large and long-running campaign of targeted phishing attacks that has targeted hundreds, and likely over one thousand people overall. Most of the targets seemingly originating from the United Arab Emirates, Yemen, Egypt and Palestine.

It is worth noting that we found this campaign to be directly connected to some attacks included in section 2.4.2 of a technical report by UC Berkeley researcher Bill Marczak, in which he suggests various overlaps with other campaigns of targeted surveillance specifically targeting dissidents in the UAE.

Our investigation leads us to additionally conclude that this campaign likely originates with the same attacker – or attackers – who cloned the Tutanota and ProtonMail sites in the previous section. As in the previous campaign, this targeted phishing campaign employs very well-designed clones of the commercial sites it impersonates: Google and Yahoo. Unlike that campaign, however, this targeted phishing campaign is also designed to defeat the most common forms of two-factor authentication that targets might use to secure their accounts.

Lastly, we have identified and are currently investigating a series of malware attacks that appear to be tied to these phishing campaigns. This will be the subject of a forthcoming report.

Fake Security Alerts Work

In other campaigns, for example in our Operation Kingphish report, we have seen attackers create well developed online personas in order to gain the trust of their targets, and later use more crafty phishing emails that appeared to be invites to edit documents on Google Drive or participating in Google Hangout calls.

In this case, we have observed less sophisticated social engineering tricks. Most often this attacker made use of the common “security alert” scheme, which involves falsely alarming the targets with some fake notification of a potential account compromise. This approach exploits their fear and instills a sense of urgency in order to solicit a login with the pretense of immediately needing to change their password in order to secure their account. With HRDs having to be constantly on the alert for their personal and digital security, this social engineering scheme can be remarkably convincing.

The following is one example of a phishing email sent by this attacker.

No automatic alt text available.

No automatic alt text available.

Clicking on the links and buttons contained in these malicious emails would take the victim to a well-crafted and convincing Google phishing website. These attackers often and regularly create new sites and rotate their infrastructure in order to avoid detection and reduce the damage of unexpected shutdowns by domain registrars and hosting providers. You can find at the bottom of this report a list of all the malicious domains we have identified.

Image may contain: text

No automatic alt text available.

How Does the Phishing Attack Work?

In order to verify the functioning of the phishing pages we identified, we decided to create a disposable Google account. We selected one of the phishing emails that was shared with us, which pretended to be a security alert from Google, falsely alerting the victim of suspicious login activity, and soliciting them to change the password to their account.

The first step was to visit the phishing page.

No automatic alt text available.

When we logged into the phishing page, we were redirected to another page where we were alerted that we had been sent a 2-Step Verification code (another term for two-factor authentication) via SMS to the phone number we used to register the account, consisting of six digits.

No automatic alt text available.

Sure enough, our configured phone number did receive an SMS message containing a valid Googleverification code. After we entered our credentials and the 2-Step Verification code into the phishing page, we were then presented with a form asking us to reset the password for our account.

No automatic alt text available.

To most users a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is.

After checking the security events on our disposable Google account, we noticed that a password change was in fact issued by Windows computer operated by the attackers, seemingly connecting from an IP address that Google geolocates within the USA.

No automatic alt text available.

(The IP address used by the attackers to automatically authenticate and modify our Google account,, is actually an unauthenticated Squid HTTP proxy. The attackers can use open proxies to obscure the location of their phishing server.)

The purpose of taking this additional step is most likely just to fulfill the promise of the social engineering bait and therefore to not raise any suspicion on the part of the victim.

After following this one last step, we were then redirected to an actual Google page. In a completely automated fashion, the attackers managed to use our password to login into our account, obtain from us the two-factor authentication code sent to our phone, and eventually prompt us to change the password to our account. The phishing attack is now successfully completed.

Similarly, we created a new Yahoo account and configured two-factor authentication using the available phone verification as visible in the account settings:

No automatic alt text available.

Image may contain: text

No automatic alt text available.

Challenges in Securing Online Accounts

Finding a secure way to authenticate users is a very difficult technical issue, although some progress has been made over the years that has raised the bar of difficulty for attackers attempting to compromise accounts at scale.

Two-factor authentication has become a de-facto standard that is almost always recommended as a required step for securing online accounts. With two-factor authentication procedures enabled, users are required to provide a secondary form of verification that normally comes in the form of a numerical token that is either sent via SMS or through a dedicated app to be installed on their phone. These tokens are short-lived, and normally expire after 30 seconds. In other cases, like that of Yahoo, the user is required instead to manually allow an ongoing authentication attempt by tapping a button on their phone.

Why is this useful? Requiring a secondary form of authentication prevents some scenarios in which an attacker might have obtained access to your credentials. While this can most commonly happen with some unsophisticated phishing attempts, it is also a useful mitigation to password reuse. You should definitely configure your online accounts to use different passwords (and ideally use a password manager), but in the case you reuse – accidentally or otherwise – a password which was stolen (for example through the numerous data breaches occurring all the time) having two-factor authentication enabled will most likely mitigate against casual attackers trying to reuse the same password on as many other online accounts as possible.

Generally, there are three forms of two-factor authentication that online services provide:

  • Software token: this is the most common form, and consists in asking the user to enter in the login form a token (usually composed of six digits, sometimes it includes letters) that is sent to them either via SMS or through a dedicated app the user configured at the time of registration.
  • Software push notification: the user receives a notification on the phone through an app that was installed at the time of registration. This app alerts the user that a login attempt is being made and the user can approve it or block it.
  • Hardware security keys: this is a more recent form of two-factor authentication that requires the user to physically insert a special USB key into the computer in order to log into the given website.

While two-factor push notifications often provide some additional information that might be useful to raise your suspicion (for example, the country of origin of the client attempting to authenticate being different from yours), most software-based methods fall short when the attacker is sophisticated enough to employ some level of automation.

As we saw with the campaigns described in this report, if a victim is tricked into providing the username and password to their account, nothing will stop the attacker from asking to provide the 6-digits two-factor token, eventually the phone number to be verified, as well as any other required information. With sufficient instrumentation and automation, the attackers can make use of the valid two-factor authentication tokens and session before they expire, successfully log in and access all the emails and contacts of the victim. In other words, when it comes to targeted phishing software-based two-factor authentication, without appropriate mitigation, could be a speed bump at best.

Don’t be mistaken, two-factor authentication is important and you should make sure you enable it everywhere you can. However, without a proper understanding of how real attackers work around these countermeasures, it is possible that people are misled into believing that, once it is enabled, they are safe to log into just about anything and feel protected. Individuals at risk, human rights defenders above all, are very often targets of phishing attacks and it is important that they are equipped with the right knowledge to make sure they aren’t improperly lowering their level of caution online.

While it is possible that in the future capable attackers could develop ways around that too, at the moment the safest two-factor authentication option available is the use of security keys.

This technology is supported for example by Google’s Advanced Protection program, by Facebook and as of recently by Twitter as well. This process might appear painful at first, but it significantly raises the difficulty for any attacker to be successful, and it isn’t quite as burdensome as one might think. Normally, you will be required to use a security key only when you are authenticating for the first time from a new device.

That said, security keys have downsides as well. Firstly, they are still at a very early stage of adoption: only few services support them and most email clients (such as Thunderbird) are still in the process of developing an integration. Secondly, you can of course lose your security key and be locked out of your accounts. However, you could just in the same way lose the phone you use for other forms of two-factor authentication, and in both cases, you should carefully configure an option for recovery (through printed codes or a secondary key) as instructed by the particular service.

As with every technology, it is important individuals at risk are conscious of the opportunities as well as the shortcomings some of these security procedures offer, and determine (perhaps with the assistance of an expert) which configuration is best suited for their respective requirements and levels of risk.

How the Bypass for Two-Factor Authentication Works

The servers hosting the Google and Yahoo phishing sites also mistakenly exposed a number of publicly listed directories that allowed us to discover some details on the attacker’s plan. One folder located at /setup/ contained a database SQL schema likely used by the attackers to store the credentials obtained through the phishing frontend:

No automatic alt text available.

A folder located at /bin/ contained an installation of Selenium with Chrome Driver, which is a set of tools commonly used for the automation of testing of web applications. Selenium allows to script the configuration and launch of a browser (in this case Google Chrome) and make it automatically visit any website and perform certain activity (such as clicking on a button) in the page.

While the original purpose was to simplify the process of quality assurance for web developers, it also lends itself perfectly to the purpose of automating login attempts into legitimate websites and streamlining phishing attacks. Particularly, this allows attackers to easily defeat software-based two-factor authentication.

No automatic alt text available.

Yet another folder called /profiles/ instead contained hundreds of folders generated by each spawned instance of Google Chrome, automated through Selenium as explained.

No automatic alt text available.

Because all the profile folders generated by the spawned Google Chrome instances operated by the attackers are exposed to the public, we can actually get a glimpse at how the accounts are compromised by inspecting the History database that is normally used by the browser to store the browsing history.

No automatic alt text available.

Through the many Chrome folders we could access, we identified two clear patterns of compromise.

The first pattern of compromise, and most commonly found across the data we have obtained, is exemplified by the following chronological list of URLs visited by the Chrome browser instrumented by the attackers:


As we can see, the attackers are automatically visiting the legitimate Yahoo login page, entering the credentials, and then following all of the required steps for eventual two-factor authentication that might have been configured by the victim. Once the full authentication process is completed, the attackers proceed to create what is commonly known as an “App Password”, which is a separate password that some services, including Yahoo, offer in order to allow third-party apps that don’t support two-factor verification to access the user’s account (for example, if the user wants to use Outlook to access the email). Because of this, App Passwords are perfect for an attacker to maintain persistent access to the victim’s account, as they will not be further required to perform any additional two-factor authentication when accessing it.

In the second pattern of compromise we identified, the attackers again seem to automate the process of authenticating into the victim’s account, but they appear to additionally attempt to perform an “account migration” in order to fundamentally clone the emails and the contacts list of from the victim’s account to a separate account under the attacker’s control:


In this rather longer chronology of URLs visited by the Chrome browser instrumented by the attackers we can see that they designed the system to attempt a login into Yahoo with the stolen credentials and request the completion of a two-factor verification process, as requested by the service. Once the authentication is completed, the phishing backend will automatically connect the compromised Yahoo account to a legitimate account migration service called ShuttleCloud, which allows the attackers to automatically and immediately generate a full clone of the victim’s Yahooaccount under a separate Gmail account under their control.

After such malicious account migration happened, the attackers would then be able to comfortably search and read through all the emails stolen from the victims leveraging the full-fledged functionality offered by Gmail.





























































































































































































































This article was originally published by Amnesty International on December 18th 2018. It was republished, with permission, under a Creative Commons BY-NC-ND 4.0 International License, in accordance with the Terms & Conditions of Amnesty International | Formatting Edits and Tweets added/embedded by Rogue Media Labs

Rudy Giuliani Mistakes Hyperlink from Top Level Indian Domain as A Hack On His Twitter Account

I’m not going to turn this into too serious an article, it just serves as yet another reminder of just how incompetent at least some of our elected officials are when it comes to their job descriptions. For example, on November 15th 2018 I featured a report covering how the head of cyber security for the 2020 Olympic Games in Tokyo admitted that he has “not once used a computer” since he was 25 years old – seriously, that’s a true story. Then again on November 29th 2018 I wrote an Op-Ed briefly discussing how, as of mid-2017, Senator Mark Warner had never heard of the term “botnet” before, despite leading/heading the US Senate Intelligence Committees investigation into Russian hacking.

But without burying the lead any further, earlier this week Donald Trump’s personal lawyer and “Chief Cyber Security Adviser,” Rudy Giuliani, made the embarrassing mistake of not realizing how Twitter, or the internet in general for that matter, fundamentally works. To understand exactly what happened here, you need to read Rudy Giuliani’s Tweet from December 4th 2016 – featured below:

Notice the 1st line above his December 4th Tweet from November 30th, reading “President left for G-20.In July“? This is important to note because .in is actually a top level domain belonging to the country of India, meaning that anyone on the internet can purchase a domain with .in attached to the end of it. This is also exactly what someone decided to do almost immediately after Giuliani sent out that Tweet on November 30th. Noticing Giuliani’s typo, some random person/troll/fool on the internet quickly decided to scoop up and buy the domain “” – which as fate would have it, just happened to be available in 2018. Then, using this domain, the ‘hacker’ set up a website reading “Donald Trump is a traitor to this country.

Therefore, considering that Twitter still does not allow anyone to edit their own Tweets, this created a direct “hyperlink” to which also happens to accidentally appear on Giuliani’s Twitter feed/posting.

Screenshot from

Screengrab from the website

Connecting the dots, this means that by simply exploiting a typo, an opportune hacker/troll was able to make one of Giuliani’s own Tweets connect directly to an anti-Trump website – lulz. However, not actually realizing how the internet works, Giuliani proceeded to start levying false accusations whilst throwing a world-class “hissy fit,” calling Twitter a company of “committed cardcarrying anti-Trumpers” whose service had “allowed someone to invade my (his) text with a disgusting anti-President message.” This of course is absolutely ridiculous, considering that Twitter has no control over Giuliani’s own typo, or the purchasing/registration of domain names, or the establishment of independent websites. But then again, would you actually expect the Commander In Chief’s Chief Cyber Security Adviser to understand how “the internet” works? Didn’t think so, welcome to #America.

New Study: 63% of IT Security Professionals Believe our Elected Officials are Cyber Security Illiterate

A new study conducted by researchers at Venafi attempted to asses the level of competency industry insiders believe our elected officials serving in Government office posses when it comes to drafting, passing or enacting new cyber security laws/policies. According to Jeff Hudson, CEO of Venafi, “Over the last several months we’ve seen government officials from across the globe propose dangerous surveillance laws and protocols.” Protocols and initiatives which can, in theory, expose or compromise “all types of classified intelligence and other highly sensitive government data.This is exactly why researches wanted to observe the opinions/beliefs of active IT security professionals, to gauge whether or not they believe our Government and society is going in the right direction when it comes to National cyber security initiatives or policies.

To gather data, researches interviewed approximately 515 information technology (IT) employees at the August 2018 BlackHat Cyber Security Conference. By doing so, Venafi hopes to use the research to influence the actions of elected officials in the future, by providing them with an accurate depictions of today’s cyber security political landscape and showing them areas where they need to focus on or improve.

Key Findings from The Study:

  • 88% of Government officials believe that Government employees should be required to complete a basic cyber security training course, something they presently do not.
  • 66% of IT professionals believe that the Government officials should not be allowed to access the encrypted data of their customers, and companies should not be required to install back-doors to bypass encryption on their products – something Jeff Sessions and the DoJ currently mandates.
  • 65% of the professionals surveyed stated that allowing back-doors to encrypted data, such as is the case with election data, only serves to make said elections themselves less safe – only 16% said they thought it would make elections safer.
  • 63% stated that they do not believe our Government officials understand the basic fundamentals or risks/vulnerabilities effecting our Nations digital infrastructure.
  •  67% stated that they do not believe our Government officials understand the basic fundamentals or risks/vulnerabilities targeting our Nations physical infrastructure.

Head of Cyber Security for 2020 Olympics Admits He Has Never Used A Computer

Unfortunately, this is a very real headline. As was first reported by Kyodo News, a Japanese based news firm, Japan’s chief cybersecurity strategist, Yoshitaka Sakurada, has personally admitted that he has never used a computer. According to the paper, this revelation came during a Government hearing in Japans lower house session on Wednesday, November 14th 2017. To get the quote exactly right, Sakurada said “Since I was 25 years old and independent, I have instructed my staff and secretaries. I have never used a computer in my life.” Explaining that he believes he need not feel any shame for accepting the position, believing that cybersecurity will rely on the collective actions/efforts of the Japanese Government as a whole, not solely upon himself.

However, this news is particularly troubling considering the fact that Mr. Sakurada will be in charge of mitigating attacks ahead of and during the 2020 Olympic games in Tokyo, Japan. It is important to note that Sakurada was only elected to this position last month and given his statement in office this week, may be seeing his time in office coming to an end much sooner than later – if other lawmakers in Japan have their way, that is. Regardless, for the time being, he very well may be the most under-qualified person to serve in such a position since Donald Trump appointed Rudy Giuliani to be his “Chief Cyber Security Strategist” in 2016.

Cybersecurity ahead of the 2020 games will also be critically important, not just because the country is surrounded by APT’s in China, Russia and North Korea, whom all consider Japan more of an enemy than an ally, but also because the 2020 games is set to unveil/debut the worlds first biometric currency exchange. Meaning that people whom attend the games will be allowed to buy, sell and carry out transactions using nothing more than their own fingerprints – something never before seen. Among other things, besides attempting to be revolutionary and push the envelope, Japans biometric currency system will be established in an attempt to cut down on all the theft, robbery and crime that plagued tourists during the 2016 Olympic games in Basil.

Ron Wyden Releases Discussion Draft of New Data Privacy Protection Act

On October 31st 2018, Senator Ron Wyden (D, Oregon) formally introduced a discussion draft of a new Bill which proposes “To amend the Federal Trade Commission Act to establish requirements and responsibilities for entities that use, store, or share personal information, to protect personal information, and for other purposes.” Among other things, the proposed legislation hopes to impose strict fines against and possibly imposes jail time for executives of major US corporations found to have mishandled, misused or lost/exposed the personal data of US citizens throughout the future.

According to Wydens website, “The Consumer Data Protection Act protects Americans’ privacy, allows consumers to control the sale and sharing of their data, gives the FTC the authority to be an effective cop on the beat, and will spur a new market for privacy-protecting services.

Overview of Data Protection Act:

  • Establish minimum privacy and cybersecurity standards.
  • Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
  • Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
  • Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
  • Hire 175 more staff to police the largely unregulated market for private data.
  • Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.

However, it is important to note that, if passed as is, these laws would only apply to companies receiving more than $50 million in yearly revenue, which actively host the personal information of greater than 1 million people/customers.  Moreover, the act excludes 3rd party data hosting providers, small business owners, as well as data brokers or commercial entities who “as a substantial part of their business, collects, assembles or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information.

Being as this is a “Discussion Draft” for the time being, Mr. Wyden is currently accepting feedback, criticisms, critiques and constructive criticisms of his legislation. If you have something you would like to say in response to it, you can reach Senator Wyden at:

Full Text of Data Protection Act:

[pdf-embedder url=”” title=”Wyden Privacy Bill Discussion Draft Nov 1″]


Employers Suffering from Global Cyber Security Shortage

According to new research published by the The International Information System Security Certification Consortium (ISC2), cyber security is one of the most undeveloped and understaffed fields in any area of expertise all across the globe. According to the data, ISC2 estimates that there are nearly 3 million security jobs world-wide left unfilled at the present moment in time – 2.15 million of which come out of the area of Asia-Pacific alone. This is followed by North America (498,000), Europe, the Middle East & Africa (142,000), and Latin America (136,000).

Of the business owners whom were surveyed,

  • 63% of companies report that their cyber security department are understaffed
  • 59% of companies are that worried this puts them at immanent risk of attack
  • 48% of companies expect to hire more cyber security employees within the next twelve months
  • 37% of companies cite developing stronger cyber security measures as their primary concerns heading into the future
  • 29% of companies say they lack the appropriate budget necessary to secure themselves
  • 27% of companies say they do not have enough/time resources to adequately secure themselves
  • 24% claim that they have not hired more cyber security workers due to a lack of qualified individuals

In terms of the most important area(s) of expertise business owners feel an ideal cyber security employee should posses are:

  • General Security Awareness (58%)
  • Risk/Threat Analysis (58%)
  • Security Administration (53%)
  • Active Network Monitoring (52%)
  • Incident Investigation & Response/Patch (52%)
  • Live Time Breach Detection (51%),
  • Cloud Computing & Security (51%)
  • Security Engineering/Architecture (51%)

In order of most desirable skills to lowest priority in terms of what these business owners are looking for out of cyber security employees:

  • Relevant cyber security work experience (49%)
  • Knowledge of advanced cyber security concepts (47%)
  • Cyber security certifications (43%)
  • Extensive cyber security work experience (40%)
  • Knowledge of basic cyber security concepts (40%)
  • Strong non-technical/soft skills (39%)
  • Cyber security qualifications other than certifications or a degree (37%)
  • Knowledge of relevant regulatory policies (37%)
  • Cyber security or related graduate degree (21%)
  • Cyber security or related undergraduate degree (20%)

According to researchers, penetration testing, ethical hacking, threat intelligence/analysis and digital forensics are some of the most important areas where expertise is currently considered low, but demand is high -especially headed into the immediate future.

Full Study: 

[pdf-embedder url=”” title=”2018 ISC2 Cybersecurity Workforce Study”]