Several prominent net neutrality advocacy groups were targeted in a spearphishing campaign, with around 70 attempts made to break into the accounts of activists at Free Press and Fight for the Future. The campaign, revealed in an Electronic Frontier Foundation report, used details about the activists’ personal lives and sexually explicit content to try to trick activists into clicking phishing links that would allow the attackers to take over their accounts.
Evan Greer, Fight for the Future’s campaign director, was one of the individuals targeted. According to the EFF, the attacker asked for a link to page where they could purchase Greer’s music. “Evan replied with a link,” the EFF wrote. “The attacker replied with an email in which they complained that the link was not working correctly, having replaced the link with a phishing page made to look like a Gmail login.”
In other attempts, the attackers created fake subscription emails for porn sites like PornHub and RedTube and embedded phishing links in the “unsubscribe” buttons on the emails.
The attackers targeted Dropbox and LinkedIn accounts as well as email accounts. The EFF believes that the campaign was professionally coordinated — its report notes that the attackers worked normal business hours, taking off Saturdays and Sundays.
“The attackers were remarkably persistent, switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time,” the EFF’s Eva Galperin and Cooper Quintin wrote.
The phishing campaign ran from July 7 through August 8 — in the midst of a fierce debate about the future of net neutrality. Fight for the Future and Free Press were both deeply involved in coordinating the began to unravel during this period, drawing additional attention to the debate.
Ultimately, the spearphishing campaign only managed to gain access to one account, the EFF reports. “We recommend an organisation-wide requirement to enable two-factor authentication on all accounts with access to sensitive data such as emails, social media accounts, planning documents, github logins, CMS logins, or other credentials,” Galperin and Quintin wrote. “It is our recommended best practice to secure all accounts with two-factor authentication so that trusted compromised accounts can’t be used in the service of more effective spearphishing attacks.”