Connect with us

Hi, what are you looking for?



Kenyan Arrested in Qatar First Targeted by Phishing Attack

A Kenyan security guard now facing charges in Qatar after writing compelling, anonymous accounts of being a low-paid worker there found himself targeted by a phishing attack that could have revealed his location just before his arrest, analysts say.

A Kenyan security guard now facing charges in Qatar after writing compelling, anonymous accounts of being a low-paid worker there found himself targeted by a phishing attack that could have revealed his location just before his arrest, analysts say.

While analysts from Amnesty International and Citizen Lab said they were unable to say who targeted Malcolm Bidali, the phishing attack mirrored others previously carried out by Gulf Arab sheikhdoms targeting dissidents and political opposition. It also would require access to confidential information stored by telecommunication companies typically only released to government or security force officials to be able to be useful as well.

Ooredoo and Vodafone Qatar, the two major internet providers in Qatar, did not respond to requests for comment. Qatar as well did not respond to questions about the phishing attack targeting Bidali.

The weekslong detention of Bidali, 28, in an undisclosed location comes ahead of Qatar hosting the 2022 FIFA World Cup and has again raised questions about freedom of expression in this small, energy-rich nation before the tournament.

“There is no evidence that he is being detained for anything other than his legitimate human rights work — for exercising his freedom of expression, and for shining a spotlight on Qatar’s treatment of migrant workers,” multiple human rights organizations campaigning for Bidali’s release recently wrote.

Bidali worked 12-hour days as a security guard. In his spare time, he wrote anonymously under the pen name “Noah” about his experiences as a guard, including trying to improve his worker accommodations and the challenges of life.

The reason for Bidali’s detention by security forces beginning late May 4 remains unclear. About a week earlier on April 26, he spoke and briefly appeared in a videoconference with civil society and trade union groups describing his experiences.

Advertisement. Scroll to continue reading.

Just hours after that videoconference ended, a Twitter user sent Bidali a link he later clicked on that appeared to initially be a video from Human Rights Watch. But instead, it sent him to a decoy, look-alike YouTube page that “might have allowed the attackers to obtain his IP address, which could have been used to identify and locate him,” Amnesty said. An IP address is a numeric designation that identifies its location on the internet.

“In like 10 minutes, almost any techie can set a website to capture the IP address of someone who clicks,” said Bill Marczak, a senior researcher at Citizen Lab who also came to the same conclusion as Amnesty. “The hard part is converting the IP address into a real name and address.”

That typically requires access to private information kept by internet service providers that typically only they or governments can access.

Twitter later suspended the account that targeted Bidali with the phishing attack. The San Francisco-based social media company did not respond to questions about the suspension.

Late on Saturday night, Qatar said in a statement that Bidali had been “formally charged with offenses related to payments received by a foreign agent for the creation and distribution of disinformation within the state of Qatar.” The statement did not elaborate or offer evidence to support the allegation.

If convicted under Article 120 of Qatar’s penal code, which uses similar language as the Qatari statement, Bidali could face up to 10 years in prison and a 15,000 Qatari riyal ($4,000) fine. Early last year, Qatar also amended its penal code to allow for prison sentences of up to five years and a fine of 100,000 Qatari riyals ($27,500) for anyone publishing “rumors or statements or false or malicious news or sensational propaganda,” according to Human Rights Watch.

Qatar is home to the state-funded Al Jazeera satellite news network. However, expression in the country remains tightly controlled.

Related: ‘Dark Basin’ Hack-for-Hire Group Targeted Thousands Worldwide

Related: Journalists’ Phones Hacked via iMessage Zero-Day Exploit

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...