Venezuelan Pro-Regime Accounts Publish Personal Data of Phishing Victims

Phishing attack on website run by Venezuelan opposition exposed data of hundreds of sympathizers of Juan Guaidó, jeopardizing the victims’ safety

@DFRLab
@DFRLab
Mar 18, 2019 · 6 min read
(Source: @DFRLab)

A leaked database of Venezuelan opposition sympathizers published on February 17 by pro-Maduro Twitter accounts and websites was, at least in part, the result of a regime-linked phishing operation.

As some of the individuals whose names appear on the lists expressed in phone conversations with @DFRLab, the data leak put their physical security at risk by rendering them likely targets of harassment from the Bolivarian Service of Intelligence (SEBIN, Spanish acronym), the Maduro regime’s political police force known for brutality against opposition leaders and sympathizers, and possibly from hostile Maduro supporters not directly linked to the regime.

The cyberattack perpetrators violated the right to privacy of thousands of Venezuelan citizens. The incident further exposed the close affiliation between pro-regime websites and Twitter accounts, on one hand, and sectors of the regime, on the other.

The Attack’s Target

When trying to access the site through both Cantv and Movilnet — the two state-owned internet service providers — users were automatically redirected to the now-offline website voluntariovenezuela.com (omitting the “s” and the “x” of the authentic site). The site was visually identical and also included a registration form.

Screenshots captured by Twitter user @AlexTripSands on February 12 of the false page, voluntariovenezuela.com (left), and the original site, voluntariosxvenezuela.com (right). (Source: @AlexTripSands/archive)

On February 12, Venezuela Sin Filtro (VSF), an independent research organization that documents blockages and cyberattacks in the country, first reported the phishing attempt on its Twitter account. VSF published an in-depth report on February 15 that noted that the information captured on the deceptive site was stored on a server whose IP address had links with the regime. (Of note, as the phishing pages are now offline, @DFRLab was unable to replicate VSF’s findings.)

The VSF researchers discovered that the deceptive website shared its host server with several phishing domains known to target Venezuelan users. All of the domains were registered with a phone number associated with an office inside Conatel, the Venezuelan communications regulator.

Following the release of the VSF report, several internet browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, flagged the deceptive website as dangerous. On February 22, however, Venezuela Sin Filtro reported on Twitter that the phishing attacks had resumed, this time redirecting to the URL voluntariosxxvenezuela.com (with a double “x”). The new false website is offline at the time of publishing.

@DFRLab obtained a screenshot of the database with 24 names and cross-referenced the national ID numbers of individuals listed in the database with the National Electoral Council’s (CNE, Spanish acronym) electoral register, the top elections authority in the country. The ID numbers of 22 of the individuals corresponded with the ID numbers registered in the official database. The other two IDs did not appear on the census.

Afterwards, @DFRLab called each of the 24 phone numbers. Of the 24 individuals, @DFRLab reached 15 of them. All 15 confirmed that the email addresses listed on VoluntariosXVenezuela were correct, and seven of the individuals confirmed that they had attempted to login to VoluntariosXVenezuela from a Cantv connection before the attack was first reported. Some of them said they did not receive a confirmation email after their registration, which made them wary of the website.

Who Published the Data?

Translation, from Spanish: “A patriot, a collaborator of the ALLEGED ‘Coalition for help and freedom in Venezuela,’ leaked data (well, he really sold them to us) of everyone who signed on to voluntariosxvenezuela.com prior to Friday February 15, 2019.” The screenshot is intentionally blurred. (Source: @RebeldeRed4f)

Later that day, Lechuguinos, a pro-regime media outlet, published the same list, as well as an additional list with hundreds of names. The outlet also posted a third list of names on February 20 and a fourth list on February 21.

Screenshots of the four published dumps by Lechuguinos. Article titles deliberately obscured. (Source: Lechuguinos)

Both @RebeldeRed4F and Lechuguinos pushed a narrative that aimed to blame the team running the VoluntariosXVenezuela website for the data leak. The @RebeldeRed4F account claimed that “the opposition sold the data to us,” while Lechuguinos claimed that the website’s staff “took advantage of the data from Guaidó’s ‘volunteers’ to do their business.” The overwhelming evidence that the data came from a phishing attack, however, discredits these claims.

The fact that both the pro-regime account @RebeldeRed4F and Lechuguinos had access to the phishing database reveal the close links between these online-media entities and the orchestrators of the phishing attack. @RebeldeRed4F is a 28,800-follower-strong regime loudspeaker account, active since February 2012. Roughly 79 percent of the account’s tweets over the last two months are retweets, mostly of posts by accounts belonging to regime officials or parties, including Nicolas Maduro; Diosdado Cabello, the President of the National Constitutional Assembly; and the United Socialist Party of Venezuela (PSUV), the ruling party.

Analysis of the tweeting activity of the account @RebeldeRed4F. (Source: @DFRLab via Tweetonomy)

Lechuguinos has had an online presence since at least July 2016, when its first articles appeared online, according to Google search results. Still, its 111,000-followers-strong verified Twitter account has been live since 2011. The Twitter account publishes short statements that echo the Maduro regime’s narratives about the opposition, the United States, and Colombia. The Lechuguinos articles that included the lists of Guaidó supporters were in turn amplified by regime sympathizers on Twitter and Facebook.

List of Facebook and Twitter accounts that amplified the first data leak published on Lechuguinos. (Source: @DFRLab via Crowdtangle)

Conclusion

While the phishing attack briefly paused after VSF exposed it, it later resumed at a different URL.

The evidence of the phishing attack contradicts claims by pro-regime media outlets and social-media accounts that the data was sold to them by members of the opposition.

@DFRLab and the Adrienne Arsht Latin America Center will continue to monitor the digital information environment in Venezuela.


EDITOR’S NOTE: @DFRLab faced an ethical dilemma on whether to publish links to the leaked data as evidence of the attack in order to expose the actors likely behind it. In not republishing the links, @DFRLab is refusing to amplify data that can be easily accessed elsewhere on the internet out of respect for the privacy of the individuals affected.

José Luis Peñarredonda is a Digital Research Assistant on the @DFRLab.

Melissa Hall is an Editorial Intern at @DFRLab.

Follow along for more in-depth analysis from our #DigitalSherlocks.

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab.

@DFRLab

Written by

@DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

DFRLab

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade