Amnesty: hackers spent months building personas used to phish Qatari labor activists

In a new report, Amnesty International summarizes the security research they did on the victims of a sophisticated phishing attack aimed at Qatari labor activists, dubbed "Operation Kingphish."

Several activists were approached by a personal calling themselves "Safeena Malik," who claimed to represent a human rights NGO. The Malik persona had a deep, years-long presence on social media, with hundreds of Linkedin contacts. The Malik persona targeted journalists, activists and organizers engaged in the struggle for labor rights in Qatar — a notorious haven of forced labor and unsafe working conditions — for months on end, carefully building up trust with them and sending them multiple forms of bait that sought (sometimes successfully) to capture their Google logins.

The phishing attack itself took the form of a supposed link to a Google Doc; targets were sent to a lookalike page that seemed to be a login screen for Google, already populated with their real Google userids and avatars. The attackers were known to use a server in Doha, Qatar to stage their attacks.

Amnesty stops short of blaming the attacks on the government of Qatar, but there is circumstantial evidence linking the two.

The Gmail attack has been successful. Motherboard spoke to one journalist who inadvertently handed over their password, although they were suspicious of the document links and Malik's messages. (The journalist asked not to be identified as they engage in undercover work.)

"I got a message on Christmas day, saying Happy Christmas!" the journalist said. In all, Amnesty believes Malik targeted nearly 30 people, judging by information left in an exposed server used in the attacks.

A major part of the Malik identity is the substantial social media presence. Her LinkedIn profile appears to have lifted a bio from someone else, and her photos are seemingly a stolen mis-mash from other accounts across the web. On Facebook, Malik has joined several groups related to her targets, including communities that deal with migrant workers and forced labour, Amnesty's report reads. Sometimes, Malik will use her mutual connections to targets as leverage—maybe a victim is more likely to chat if Malik is a friend of a friend.

Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal [Nex/Amnesty International]

This Cunning, Months-in-the-Making Phishing Campaign Targeted Dozens of Journalists, Activists [Joseph Cox/Motherboard]