Safeena Malik is not a real person. Despite having a Twitter feed created in December 2014, a fully fleshed-out LinkedIn with over five hundred connections, and a Facebook account where she reposts innocent viral videos, this supposed UK university graduate is an elaborate ploy in a large scale hacking operation, according to a new report from Amnesty International.
Throughout 2016, those behind the Malik identity have tried, and in some cases succeeded, to break into the Gmail accounts of journalists, labor rights activists and human rights defenders, particularly those with a focus on Qatar. But the attention to detail, the persistence, and the long-game approach of these hackers stands heads and shoulders above other phishing campaigns.
"In this case, the attackers have literally engaged with targets for months
and attempted multiple times with different tactics and baits," Claudio Guarnieri, a technologist at Amnesty International, told Motherboard in an online chat.
"I am doing research about human trafficking. Can you help in this. I want to share my research with you. Can you guide me in this?" one of Malik's emails, sent to a target on August 29, 2016, reads. The message doesn't ask targets to download a file, but to take a look at a document stored on Google Drive. When clicked, the victim is directed to a login screen that looks identical to Gmail's legitimate one, and which has even been pre-configured to display the specific target's profile photo.
It is not clear who was behind these attacks, however. Because the hackers focused on activists working on issues in Qatar, Amnesty believes the campaign may have been carried out by a state-sponsored actor. The hackers logged into some of the stolen accounts from an IP address related to Ooredoo, an internet service provider with headquarters in Doha, Qatar, the report adds. The Qatari government denied any involvement in the phony Google pages, according to a statement given to Amnesty.
Regardless, the URL of the phishing page includes words like "rqeuset, "hanguot," and "g-puls," terms that if glanced quickly on by a non-native speaker may not raise any alarm bells, and possibly give a sense that this page is genuinely from Google.
After entering their email address and password, the victim is sent to a real Google Drive document. But, the hackers now have the target's login details, and potentially access to their email account. In other instances, the phishing page might be for a Google Hangout, and will land on Malik's Google+ profile. But each piece of bait is specially tailored for its target, Guarnieri told Motherboard.
"They demonstrate a great attention to detail to reduce as much as possible the risk of raising suspicion," he said.
The Gmail attack has been successful. Motherboard spoke to one journalist who inadvertently handed over their password, although they were suspicious of the document links and Malik's messages. (The journalist asked not to be identified as they engage in undercover work.)
"I got a message on Christmas day, saying Happy Christmas!" the journalist said. In all, Amnesty believes Malik targeted nearly 30 people, judging by information left in an exposed server used in the attacks.
A major part of the Malik identity is the substantial social media presence. Her LinkedIn profile appears to have lifted a bio from someone else, and her photos are seemingly a stolen mis-mash from other accounts across the web. On Facebook, Malik has joined several groups related to her targets, including communities that deal with migrant workers and forced labour, Amnesty's report reads. Sometimes, Malik will use her mutual connections to targets as leverage—maybe a victim is more likely to chat if Malik is a friend of a friend.
As well as other targets, Malik used Facebook to approach employees of the International Trade Union Confederation (ITUC), a high profile group that promotes workers' rights. Sometimes Malik would just engage in a quick chat, and then came back later to push some bait.
A spokesperson for ITUC claimed no one from the organization gave up their password, but said Malik targeted at least five people in the organization, including those at the top of the group.
Amnesty identified most of the victims because one of the hackers' servers stored target's profile photos with a predictable filename: each filename just consisted of two lowercase characters. After regularly churning through all 676 possible combinations, Amnesty discovered new photos, and then identified the targets. (Guarnieri said he couldn't put a precise number on how many people were actually compromised).
Safeena Malik did not respond to Motherboard's request for comment.