Screenshot showing a web site in Turkey where malicious code was stored for a phishing attack. The right-hand window shows the page’s hidden HTML code, which reveals a malicious Flash component embedded in the page, waiting to download to computers that visited the site.
By Kim Zetter:
The email appeared to come from a trusted colleague at a renowned academic institution and referenced a subject that was a hot-button issue for the recipient, including a link to a website where she could obtain more information about it.
But when the recipient looked closely at the sender’s email address, a tell-tale misspelling gave the phishing attempt away — the email purported to come from a professor at Harvard University, but instead of harvard.edu, the email address read “hardward.edu”.
Not exactly a professional con-job from nation-state hackers, but that’s exactly who may have sent the email to an American woman, who believes she was targeted by forces in Turkey connected to or sympathetic to the powerful Gülen Movement, which has infiltrated parts of the Turkish government.
The email contained a link to a web site in Turkey, where a malicious downloader file was waiting to install on her computer — a downloader that has been connected in the past to a spy tool purportedly sold exclusively to law enforcement and intelligence agencies around the world.
The woman, who asked to remain anonymous because she’s concerned about retaliation, sensed the email was a fraud and did not follow the link. Instead, the email was passed to researchers at digital forensics firm Arsenal Consulting, who set up a honeypot to visit the Turkish web site and obtained the downloader.
Though investigators didn’t obtain the file that the downloader was supposed to install, analysis of it showed that it was the same downloader that has been used in the past to install Remote Control System (RCS), a spy tool made by the Italian company Hacking Team and sold to governments. A digital certificate used to sign the downloader has also been used in the past with Hacking Team’s tool.
“It was the first hint that this was connected to Hacking Team and RCS,” Mark. G. Spencer, president of Arsenal, told Wired.
Hacking Team asserts that it sells the RCS tool only to law enforcement and government security agencies for lawful intercept purposes, but it has reportedly been used against activists and political dissidents in Morocco and the United Arab Emirates and possibly elsewhere, an issue for which Hacking Team has been severely criticized.
The company touts in marketing literature that the tool evades encryption and bypasses antivirus and other security protections to operate completely invisibly on a target’s machine.
The RCS tool, also known as DaVinci, records text and audio conversations from Skype, Yahoo Messenger, Google Talk and MSN Messenger, among other communication applications. It also steals Web browsing history and can turn on a computer’s microphone and webcam to record conversations in a room and take photos. The tool relies on an extensive infrastructure to operate and therefore is not easily copied and passed to non-government actors outside that infrastructure to use for their own personal spy purposes, according to a Hacking Team spokesman.
Spencer says there’s no definitive proof pointing to who is behind the attempted hack of the American woman, but notes there is circumstantial evidence that warrants further attention.
“We have an email, a purported sender, and a target all critical of the Gülen movement. We have professional malware launched from a server in Turkey. You can take it from there,” Spencer said.
Read more at Wired