This report describes the latest iteration in a long-running espionage campaign against the Tibetan community. We describe how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing
John Scott-Railton is a Senior Researcher at The Citizen Lab. His work focuses on technological threats civil society, including targeted malware operations, cyber militias, and online disinformation. His greatest hits include a collaboration with colleague Bill Marczak that uncovered the the systematic use of Pegasus spyware to target civil society in several countries, including Mexico and the UAE. Pegasus is developed by the Israeli cyber-warfare company NSO Group and sold exclusively to governments. That investigation also uncovered the first iPhone zero-day and remote jailbreak seen in the wild. Other investigations with Citizen Lab colleagues include the first report of ISIS-led malware operations, China's "Great Cannon," the Government of China's nation-scale DDoS attack, and the 'tainted leaks' disinformation campaigns strongly linked to the Russian Government. These investigations, and others, have served as the basis for criminal investigations and lawsuits. John has also investigated the manipulation of news aggregators such as Google News, and privacy and security issues with fitness trackers. Recently, John was a fellow at Google Ideas and Jigsaw at Alphabet. John has undergraduate degrees from the University of Chicago and a Masters from the University of Michigan. He is completing a PhD at UCLA. Previously he founded The Voices Projects, collaborative information feeds that bypassed internet shutdowns in Libya and Egypt. John's work has been covered by Time Magazine, BBC, CNN, The Washington Post, and the New York Times. He can be reached at jsr [at] citizenlab.ca
This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes.
A second audit of South Korea’s Smart Sheriff application reveals that there are numerous unresolved vulnerabilities that put minor children and parental users of the application at serious risk.
This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher’s “anonymizing proxies” to unmask the true location of the spyware’s master servers. Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources.
This report describes the results of two independent security audits of Smart Sheriff, one by researchers who collaborated at the 2015 Citizen Lab Summer Institute (held at the Munk School of Global Affairs, University of Toronto), and the other by the auditing firm Cure53. The combined audits identified twenty-six security vulnerabilities in recent versions of Smart Sheriff (versions 1.7.5 and under). These vulnerabilities could be leveraged by a malicious actor to take control of nearly all Smart Sheriff accounts and disrupt service operations.
این گزارش به کمپین رو به رشد حملات فیشینگ علیه کاربران در گستره ایران و حداقل یک حمله به یک فعال غربی میپردازد. این حملهها تلاش دارند تا امنیت مضاعفی که از طریق رمز عبور دو مرحلهای در گوگل فراهم شده است را دور بزنند و به شکل گستردهای مبتنی بر تماسهای تلفنی و تلاش برای ورود در زمان حقیقی از سوی مهاجم است. جالب اینجاست که این حملهها عموما با یک تماس تلفنی از کشور انگلستان شروع میشده و هکرها به یکی از دو زبان فارسی و یا انگلیسی ارتباط برقرار میکردهاند.
This report describes an elaborate phishing campaign using two-factor authentication against targets in Iran’s diaspora, and at least one Western activist.
This post analyzes targeted malware attacks against groups in the Tibetan diaspora and Hong Kong that leverage the CVE-2014-4114 vulnerability
UC Browser is the most popular mobile web browser in China and India, boasting over 500 million users. This report provides a detailed analysis of how UC Browser manages and transmits user data, particularly private data, during its operation. Our research was prompted by revelations in a document leaked by Edward Snowden on which the Canadian Broadcasting Corporation (CBC) was preparing a story.
UC浏览器是一种移动浏览器，它目前拥有超过5亿的注册用户，是中国和印度最受欢迎的手机浏览器。在《啰嗦的松鼠：UC浏览器的隐私与安全问题》这一报告中，公民实验室(Citizen Lab)发现中文和英文安卓版UC浏览器中存在多个隐私及安全漏洞， 并讨论了它们的重要性。