Activists in Syria were targeted by a Phishing scheme recently, via a false YouTube page, which targeted usernames and passwords in addition to pushing malware. It’s believed that the attackers were pro-government, if not part of the regime itself.
The EFF reported on Thursday that the Phishing page, which has been taken down, targeted Syrian activists searching for current information and related news. The page itself replicated YouTube, and required that the visitor enter in their YouTube username and password in order to leave comments.
Video viewing on the page presented the user with an update to Adobe Flash Player, which if installed allows attackers from a Syrian IP to push additional malware onto the system.
Last week, the EFF also reported on the discovery of XtremeRAT. The Trojan spreads via email and chat messages, and was discovered on systems used by Syrian activists. It has the ability to capture webcam activity, record keystrokes, password sniffing and more. In addition, XtremeRAT can disable notifications from some AV vendors. Any information collected was sent to a server using a Syrian IP.
According to Reporters Without Borders, Syria already had a strong censorship stance on the Internet before the revolution started in 2011, but it has only gotten worse.
Skype and Mumble are the two of the more popular methods activists use to share news and show the world images from a nation on the brink of civil war. So the discovery of XtremeRAT was both shocking and expected. Those familiar with the state of the Web in Syria knew it wouldn’t be long before Assad’s regime expanded their monitoring and censorship efforts.
“EFF is deeply concerned about this pattern of pro-government malware targeting online activists in authoritarian regimes. We will continue to keep a close eye on future developments in this area,” the organization said in a blog post.