Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal

Over the course of 2016 — and particularly intensifying towards the end of the year — several individuals known to Amnesty International were approached via email and through social media by “Safeena Malik”, seemingly an enthusiastic activist with a strong interest in human rights. What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists, human rights defenders, trade unions and labour rights activists, many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal.

Our investigation of the attacks didn’t yield any evidence that would indicate the conclusive responsibility of a particular government, although we suspect these attacks might have been orchestrated by a state-affiliated actor. We refer to this campaign and the associated actor as Operation Kingphish (“Malik”, in one of its written forms in Arabic, translates to “King”).

It is worth noting that in December 2016, Amnesty International published an investigation into another social engineering campaign perpetrated by a seemingly fake human rights organization known as Voiceless Victims, which targeted international human rights and labour rights organizations campaigning on migrant workers’ rights in Qatar. While there is a clear alignment of interests, we have found no evidence to suggest these two campaigns are directly connected.


Migrants’ rights in Qatar

Migrant workers, mainly from South Asia, comprise more than 90% of Qatar’s workforce, with Nepalis being one of the largest nationalities. The exploitation of migrant workers in Qatar, particularly in the construction sector, has been widely reported on since Qatar won the right to host the 2022 World Cup. The sponsorship system, which ties migrant workers to their employers has been widely criticized as being a major driver of exploitation.

YouTube

As Amnesty International reported, recent changes to laws governing the migrant labour system in Qatar barely scratch the surface of the problem and continue to leave migrant workers, including those building stadiums and infrastructure for the World Cup, at the mercy of exploitative bosses and at risk of serious human rights abuses including forced labour. Workers still require exit permits to leave the country, which can still be blocked by their employer, and employers can now legally keep hold of their workers’ passports under a new loophole which can be easily exploited.


“Safeena Malik” phishing expedition

Note: throughout the report we have redacted, where necessary, names and email addresses of individuals and organizations targeted in order to protect their identity and safety. We have also obscured wherever possible the pictures utilized by the attackers on the fake social media profiles, as they have been likely stolen from people with no involvement in these attacks.

Our investigation revealed that unidentified attackers have purposefully created and maintained what appears to be a fake online persona, named “Safeena Malik”, in order to regularly engage in conversations with the selected targets, and at different times and with different pretenses try to lure them into giving away their credentials to their Gmail account through the use of phishing attacks.

Phishing is a hacking technique that often consists of mimicking popular online services (such as Google, Facebook, Twitter, and Linkedin) and credibly replicating their login pages, with the goal of stealing usernames and passwords from the designated victims by luring them into mistakenly authenticating through such pages.

This type of attack is extremely popular, and often used against members of civil society. It is relatively easy and cheap to orchestrate, and if successful it grants the attackers access to victims’ personal and professional email accounts, which can obviously reveal very sensitive information. For example, having an activist’s email account phished might lead to the reconstruction of their network, exposure of sources’ identities, as well as abuse of their accounts for impersonation. By comparison, phishing attacks are likely significantly more common than malware attacks.

Phishing attacks are normally delivered through emails soliciting the target to open a link and login to, for example, a Google-like page. The strategies used to make this solicitation credible can vary. Often, for example, the email would falsely inform the victim that their account has been hacked, urgently requiring a password reset.

“Safeena Malik” has a full presence on social media but her twitter account, created in December 2014 has only one visible tweet, dating from 23 December 2014, a simple “hi”. We believe it is possible that the operators of Operation Kingphish might have acquired a set of pre-registered (or stolen) social media profiles online. The accounts “Safeena Malik” follows show a clear pattern: a large number of Middle East-based journalists for international publications, staff of international human rights organizations and trade unions, and various campaigns for migrants’ rights in Qatar.

Their Facebook account appears to be more active, and their LinkedIn profile, has 500+ connections.

The various social media accounts communicated regularly with several of the victims we identified, often for many months. It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile, along with a professional biography also stolen from yet another person. The emails and messages sent by the fake “Safeena Malik” would normally be timed around — before, and following — the delivery of yet another attempt at phishing the credentials of the designated victims.

Case 1: Fake Google, real Google

For example, in the exchange below, “Safeena” tried to lure the target by purporting to be seeking help on some important research on human trafficking.

In the course of this email correspondence, the attacker — “Safeena” — then sent what appeared to be invitations to access several documents on Google Drive.

The links and buttons contained in the emails would direct the victim to a webpage that looked something like this:

Note: the profile picture has been manipulated to protect the identity of the target.

The page is designed to mimic a standard Google login page, with a high degree of accuracy. While most common phishing pages would only provide an empty form to enter an email address and password, this one instead is configured to display the profile picture, the account name, and the email address of the victim. This is obscured in the above screenshot to protect the privacy of the victim.

This design effectively replicates a real Google login page, which would similarly display the same information if you had previously logged into your account from a computer. The attackers were meticulous in making their phishing page as credible as possible.

Interestingly, after the victims would have entered their Google account credentials, they would be redirected to an actual document hosted on Google Drive, effectively recreating a normal browsing experience in order to avoid suspicion. In the example below, the target would have been redirected to a PowerPoint presentation on human trafficking. Amnesty has identified that this presentation had also been stolen from another source.

Case 2: Making friends and connections

Among the targets of this campaign is the International Trade Union Confederation (ITUC). ITUC is a trade union federation based in Brussels and among the largest in the world, counting over 170 million members. ITUC has been very outspoken in recent years about migrant labour rights in Qatar, and is behind the “Re-Run the Vote!” campaign against the award of the organization of the 2022 FIFA World Cup to Qatar.

Both in the attacks against ITUC and in other occasions, the attackers approached selected targets over social media, prominently Facebook, and engaged in chat conversations with them on and off, sometimes over a period of several months. At times the attackers behind the profile would just have a short casual conversation, while at others they attempted an attack. Possibly in order to identify further targets, “Safeena Malik” found her way into several Facebook groups dealing with migrant workers and forced labour.

Similarly to attempts described previously, in this case the attackers also invited the targets to open a document seemingly shared on Google Drive. This time the document purported to be about the involvement of the Emir of Qatar in funding ISIS, which was seemingly copied from a website critical of Qatar.

Once the target would provide their credentials through the fake Google login page, they would also be automatically redirected to an existing document hosted on the legitimate Google Drive.

While it might not appear significant, this attention to detail is what, in our experience, sets apart these phishing attempts from more common ones, as they demonstrate a level of experience and care that is both unusual and remarkable.

Case 3: Hanging out

Similar tactics are exemplified by yet another case we’ve become aware of and portrayed in the picture below, where the fake “Safeena Malik” profile is conversing with a prominent activist from Nepal working on migrant workers issues, soliciting them to give away their Gmail address.

Interestingly, the attackers tried to leverage common Facebook friends in an attempt to convince the target of their legitimacy. This is a tactic we’ve observed the attackers utilize on numerous occasions across their conversations with some of the targets we know of, which explains the time and effort spent in building a large social graph.

In this case, the attackers very credibly pretended to have been inviting the targets to participate in a Google Hangout (a videoconferencing service operated by Google).

Again, when clicking on the button the target would be presented with a Google-like login page.

Note: the profile picture has been manipulated to protect the identity of the target.

Identifying the Victims

While we first learned of these attacks through a journalist who was targeted, we soon learned of many others.

What we discovered, is that the phishing pages are in fact “configurable”. The links sent via email to the targets contains all the required information for the phishing page to load the appropriate profile picture and names.

For example, a link would look like this (please note that the links have been edited to disable any accidental clicks and redacted to protect the victim’s privacy):

hxxp://rqeuset.hanguot.g-puls.viwe.accnnout-loookout.auditi.devisionial-checlkout.inistructiion-mutuael.halftoine.appliacctiorn-gurad-way.leigacy-fs.termp-forn.provider-saefe.alvie-valuse.token-centeir.recollect.label.ping2port[.]info/?ml=[REDACTED]=&n@e=[REDACTED]&P4t=[REDACTED]&Re3d=aHR0cDovL3Rpbnl1cmwuY29tL2g5d3h3cDg=&pa=2&gp=1

In the URL there are some encoded values passed to the webpage, which decode to the following:

hxxp://rqeuset.hanguot.g-puls.viwe.accnnout-loookout.auditi.devisionial-checlkout.inistructiion-mutuael.halftoine.appliacctiorn-gurad-way.leigacy-fs.termp-forn.provider-saefe.alvie-valuse.token-centeir.recollect.label.ping2port[.]info/?ml=[REDACTED]&n@e=[REDACTED]&P4t=//ping2port.info/[REDACTED]/[REDACTED].jpg&Re3d=http://tinyurl.com/h9wxwp8&pa=2&gp=1

The first value is the email address of the target, the second is the account name (most often the full real name of the intended target), the third value is an address pointing to a copy of the target’s profile picture pulled from their Google+ or YouTube profile, and the last is a link to which the victim will be redirected after their credentials have been successfully stolen.

The stolen profile pictures would be stored on the server owned by the attackers. Interestingly, their filename and location were predictable as they would be normally saved in a particular folder with a filename that would be a combination of two lower-case letters. For example:

hxxp://ping2port[.]info/[REDACTED]/xx.jpg (this particular filename is fictional, and the URL has been disabled to prevent misclicks).

As we noticed that this pattern was repeated across a couple of attacks that came to our attention, we realized we might be able to identify additional victims by regularly attempting to download all the available profile pictures stored with all the 676 possible combinations of two-letter filenames. Once we obtained new profile pictures, a simple image search online could reveal the identity behind these victims.

Surely enough, it allowed us to identify nearly 30 distinct targets.

Most identified targets were activists, journalists, and labour union members. While some of targets had published critical opinions about Qatar’s international affairs, the majority of identified targets were affiliated with organisations supporting migrant workers in Qatar. Interestingly, a significant number of them are from Nepal, which is one of the largest nationalities amongst migrant workers in Qatar, and a country that has featured prominently in the migrant worker narrative on Qatar.

We learned however of several more targets who appeared to not have been configured with a stored profile picture, so it is possible that the number of actual targets was far larger. Through our conversations with identified targets it became clear that “Safeena Malik” often approached members of thematic Facebook groups and asked for information and contact details about further targets we were not originally aware of.


Who is behind the attacks?

We don’t have conclusive evidence that could implicate any particular government or individual as being responsible for these attacks, but the fact that the campaign specifically targets individuals active on human rights issues in Qatar, makes us believe that it might be a state-sponsored or affiliated actor. We believe it is also possible that these attacks have been orchestrated by contractors. In fact, similar intelligence gathering operations uncovered in other GCC countries, have shown a reliance on outsourcing this work to private firms.

Interestingly, the attackers logged into some of the harvested email accounts from the IP address 178.152.139.XXX [last octet redacted] as these Gmail recent activity records display:

This IP address appears to be an Internet connection provided by Ooredoo, an Internet Service Provider with headquarters in Doha, Qatar.

Note: the geographical mapping of an IP address is often very approximate, and while it indicates that the attackers used a connection in Doha, the coordinates, which were provided by the free MaxMind service should not to be considered to be a precise location.

We wrote to the Government of Qatar with information about this phishing campaign and asking about their possible involvement. They responded, vigorously denying any link to the attacks. (We should note that Amnesty International was not one of the targets of this campaign.)

The Government of Qatar also expressed their interest in stopping the phishing attacks.

We also wrote to “Safeena Malik” on the Gmail address used to contact targets. We summarized our findings and asked for a response. We similarly contacted the Facebook account used in the attacks. As of publication, we have not received any reply.

While there is a clear underlying Qatar migrant workers theme in this campaign, it is also hypothetically possible that these attacks could have been perpetrated by a malicious actor affiliated to a different government with an interest in damaging the reputation of the State of Qatar.

However, in the absence of clear evidence, trying to identify the entity behind this attack can only be speculative. As such, we cannot make any conclusive attribution.


Have I been targeted too?

Following is a Gmail query to search for specific keywords that we believe are unique to the malicious emails sent by the “Safeena Malik” profile.

from:safeenamalik6 OR "ropelastic.com" OR "ping2port.info"

You can copy and paste it in the search bar at the top of your Gmail window like so:

If you have received any emails related to this campaign, Gmail should filter them from your inbox and highlight them to you.

If you have further information about this campaign or have been targeted, and would like to share information with us, you can write us at tech.reports@amnesty.org or use Amnesty’s secure dropbox https://amlea.org/en/.

Some tips to protect yourself against phishing

Be careful with links: before clicking a link or button on an email check where it is redirecting you to. You can usually do this by hovering your mouse pointer over the link or button; you can also find out by right-clicking and copying the link. If an email tells you it’s taking you to Facebook or Gmail but the link doesn’t look like like a Facebook or Google address, then there might be something wrong. If you’re not sure, type the address yourself and log in.

Enable two-factor authentication: two-factor authentication is an extra step you need to log-in to your account. In most cases, it’s very simple and you only need to do it when you use a new device or once every few weeks. Most commonly you will be required to provide a six-digit code delivered through your phone either through an SMS message, or preferably through a mobile app, like Google Authenticator, Authy or Duo Mobile. While it might appear tedious at first, this process makes it a lot harder to hack your online accounts, as your passwords alone wouldn’t be sufficient to access them.

Many popular services have two-factor authentication, including Gmail, Outlook, Facebook and Twitter. You can read more details on two-factor authentication here.

Be wary of strangers: if someone you don’t know contacts you and starts asking you for personal details, contact details and names of people you know, treat it with suspicion. A simple rule is: if you wouldn’t share it on twitter, don’t share information with someone you don’t know, even if it is someone who appears to have friends on social media in common with you. As we learned from this campaign, attackers do commonly befriend many people to leverage common social connections as a way to appear more credible and legitimate.


Acknowledgements

This report is the product of investigations by Claudio Guarnieri, Sherif Elsayed-Ali, Ashmita Sapkota and others at Amnesty International, and with the help Collin Anderson. We would also like to thank all those targeted who came forward to share information on these attacks.

Security Indicators

Following are details useful for Internet Service Providers and the security community to further research and implement appropriate defenses.

ropelastic[.]com
ping2port[.]info
drvie.goo-qle.aconnut.corn.provider-termp.fs-valuse.checlk-out.appliactiorn.token-loookout-recomrnendation.deivisional.centeir-halftone.mutuael-inistructiion.leigacy-auditi.label-recollect.forn-alive.ropelastic[.]com
rqeuset.hanguot.g-puls.viwe.accnnout-loookout.auditi.devisionial-checlkout.inistructiion-mutuael.halftoine.appliacctiorn-gurad-way.leigacy-fs.termp-forn.provider-saefe.alvie-valuse.token-centeir.recollect.label.ping2port[.]info
direve.g-co.pohto.shraning.fodler-premissiion.viwe.termp-recomrnendation.appliacctiorn.loookout.forn-devisionial.recollect.auditi-checlkout.inistructiion.halftoine-valuse.provider-alive.leigacy.gurad-way.saefe-fs.ping2port[.]info