This week, Morgan Marquis-Boire and Bill Marczak of the University of Toronto's Citizen Lab provided a disturbing look into the likely use of a commercial surveillance program, FinFisher, to remotely invade and control the computers of Bahraini activists. After the software installs itself onto unsuspecting users' computer, it can record and relay emails, screenshots, and Skype audio conversations. It was deployed against Bahraini users after being concealed in seemingly innocent emails.
In one example decoded by Marquis-Boire's team, the message was crafted to appear to be from Melissa Chan, a journalist working for Al-Jazeera English. The attackers were using Chan's reputation as a journalist to trick their victims into opening the document.
Chan now works for Al-Jazeera in Jerusalem, but when she was a correspondent in China she was the target of email attacks herself. In an attempt to take control of her real Gmail address, a message was sent to her from someone implying they were connected to China's "Jasmine revolution." The independent Bahraini newspaper Al-Wasat said it has been targeted with fake messages from sources as well--not to deliver malware, but to trick it into running false stories the government then used to try to discredit the paper.
Fake email sources are relatively easy to imitate. The "From" address used in the Bahraini attack was not Chan's own email address, but a throwaway Gmail account that looked like an address ("firstname.lastname@example.org") Chan might conceivably use.
Broad caution with unknown correspondents is a defense: If you don't download attachments and don't click on links in strange emails, you aren't vulnerable to the hacking attacks these emails are designed to allow. When I spoke to Chan about the attacks in her name, she noted that "many people do not look at the email address, but just the 'Last Name, First Name.' ... There were one or two times when I wasn't sure about the sender and I wrote back asking them to identify themselves in a way I'd know was definitely him/her."
That's a good technique, but it's even better if you can use an alternative medium for your fact-checking. Use a phone call or instant messaging to confirm a message before opening any attachment. If an attacker has already used malware to take control of another users' computer, they may have access to private information. They can also act as a "man in the middle" online, relaying email questions and answers between two unsuspecting correspondents--but able to spy or add their own fabrications. A live phone call is harder to fake.
In terms of sophistication, it's hard to know what to think of the Bahraini espionage revealed by Citizen Lab. In some ways, the masquerade was clumsy--but, then, if it had been more convincing, it may have gone unnoticed. We only see the results of unsuccessful espionage. Still, even that is enough to see the damage being caused to the reputations of journalists and the safety of their communications. Security services faking messages from real journalists in order to spy on activists is a grave danger to press freedom.
Citizen Lab's analysis demonstrates that spyware supposedly made for law enforcement purposes by the UK company Gamma International is now being used in ways that no democratic society can tolerate. Gamma should immediately reveal whether they have been selling this technology to the Bahraini authorities and what it intends to do to prevent abuses from recurring.