The website used the domain electronicfrontierfoundation.org (EFF’s true domain is eff.org) and was set up earlier this month.
Spear phishing attacks work by taking advantage of a person’s trust in a familiar website. An attacker might send a link to a victim that appears trustworthy—for instance, if a victim is familiar with EFF, they might see an electronicfrontierfoundation.org link and not hesitate to click it. However, once a victim clicks the link, malware is installed onto his or her computer, which can then be used by an attacker to exploit it.
In this case, EFF suspects that the malware is Sednit, which could be used to install a keylogger—which tracks everything the victim types—or other software.
“It appears to have been used in a spear phishing attack, though it is unclear who the intended targets were,” EFF staff technologist Cooper Quintin wrote in a blog post.
Quintin said the attack is “relatively sophisticated” and uses a Java exploit to install its malware. He also noted that the malware is similar to that used in a larger spear phishing campaign known as Pawn Storm, which is thought to be associated with the Russian government.
EFF says it was alerted to the site’s existence by Google‘s security team. EFF reported the domain and says Oracle has patched the Java bug that allowed the malware to be installed.
“Of course this is an excellent reminder for everyone to be vigilant against phishing attacks,” Quintin wrote. “Our SSD guide contains advice on how to improve your security, watch for malicious emails, and avoid phishing attacks such as this one.”
H/T Hackread | Illustration by Max Fleishman