Hackers allegedly working for the embattled Venezuelan government tried to trick activists into giving away their passwords to popular services such as Gmail, Facebook, Twitter, and others, according to security researchers.
Last week, the Venezuelan opposition leader Juan Guaido called for citizens to volunteer with the goal of helping international humanitarian organizations deliver aid into the country. President Nicolas Maduro is refusing to accept aid and has erected blocks across a border bridge with Colombia with the military’s help.
The volunteer efforts were organized around the website voluntariosxvenezuela.com. A week later, on February 11 someone registered an almost identical domain, voluntariosvenezuela[.]com. And on Wednesday, users in Venezuela who were trying to visit the original and official VoluntariosxVenezuela website were redirected to the newer one, according to security firm Kaspersky Lab, as well as Venezuelan users on Twitter.
While studying the fake website, researchers found phishing sites hosted on the same IP address. And there’s evidence that the people behind the second, apparently fake and malicious, website were working for the government of Maduro, according to security firm CrowdStrike and independent researchers.
“It’s clearly the work of the Venezuelan government trying to identify the people working against them, so that they can put a stop to it,” Adam Meyers, the vice president of intelligence at CrowdStrike, a firm that’s analyzed the attacks, told Motherboard in a phone call.
The IP address of the fake site was hosting several domains designed to phish usernames and passwords for Gmail, Facebook, Instagram, Microsoft Live, Linkedin, and Apple’s iCloud, among other sites, according to public data collected by PassiveTotal and other internet monitoring services reviewed by Motherboard.
The phishing sites are all registered on the .ve domain, the Venezuelan country code top level domain, which is controlled by CONATEL, Venezuela’s government telecommunications authority, according to WHOIS records viewed by Motherboard.
Jose-Luis Rivas, a local hacktivist who’s has tracked the attacks, said that the fake website had a form to register personal data such as name, email, cellphone and location.
“That's what they are after. Identifying who's opposition and doing arbitrary detentions,” Rivas told me in an online chat.
Facebook, Apple, Microsoft, and Twitter did not respond to a request for comment. DigitalOcean, the firm that was hosting the server and IP address used in the attacks said that it terminated the user and their resources, after determining that “that this was a violation of our terms of service.”
Google said it’s going to warn users about the phishing domains.
A message sent to the email associated with the phishing domains did not get a response.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Meyers said that they don’t have enough data to know how effective the phishing campaign was. But the hackers could have potentially hit hundreds of people, given that Guaido recently said that almost 100,000 people have signed up to help bring aid.
Rivas said that Venezuelan visitors of VoluntariosxVenezuela were redirected to the fake site by the state-controlled ISP CANTV, which was manipulating the Domain Name System, or DNS. Other technologists and internet users in Venezuela reported the same findings.
“It’s clearly a concerted effort to phish credentials of victims in Venezuela,” Meyers said.
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.