We work with civil society organizations around the world that are facing increasingly sophisticated cyber attacks against them from relenteless, well-resourced, and tecnically extremely savvy adversaries that attempt to curtail, surveil, and otherwise hinder their work. We are routinely called to assist our partners in preventing and mitigating denial-of-service attacks against and hacking of websites and online services, expecially during political events such as elections. Our partners are under threat in myriad ways, ranging from account compromises, social media takedowns to regime trolls and spammers, and malware.
ACCESS Now, a US-based advocacy organization focused on internet governance and digital security has just compiled the first in a series of reports focused on these threats to civil society organizations. The first assessment focused on fake domains when an adversary creates a similar-looking website or social media profile to one of a civil society organizations. These fake domains are used to dilute or confuse the message of the organization and subvert their effectiveness by drawing readers from the original site, or in order to serve malware to specifically target the audience of the original website.
ACCESS notes that "in the past, fake domain attacks were used mainly by spammers and online criminals to trick individuals into sharing their private information (often banking credentials) through a fake look-alike or website. That website would often be promulgated through a “phishing” email purported to come from the original website." But as regimes and adversaries against human rights and democracy organizations has increased, Access notes that
"the attacks analyzed ...represent an evolution of these attacks, targeting the online presences and user trust of civil society organizations and media organizations for socio-political rather than economic goals. In addition, the perpetrators of these attack are predominantly state-aligned actors, and in some cases leveraged the privileged position of state-owned Internet Service Providers to propagate the attacks."
The report notes that fake domain attacks often occur prior to elections and other important political events, including during critical social and political periods. For instance, in Iran and Belarus, the report notes, fake domains were use to " minimize the spread of information and disrupt potential civil unrest during political elections and anniversaries." In countries such as Belarus and Kazakhstan, the involvement of state actors is clear. There, as the report notes, the "privileged position internet service providers (ISPs) have in a user’s interaction with websites [redirected] them away from targeted websites to the fake websites. In addition, many fake domains took advantage of procuring similarly-named URLs as the targeted website in order to provide a sense of trust to the unwary user."
Additionally, and more importantly in the end, the report provides a number of mitigation mechanisms – technical, policy, and legal – against fake domains for both users and targeted websites that we at NDItech are use and by and large endorse to assist our partners. This is a must-read report for civil society orgs and their technical staff and assistance providers, and an important addition to our growing knowledge of the multifaceted and growing threats against civil society.
