The Electronic Frontier Foundation (EFF) revealed on Wednesday that employees of Internet freedom NGOs “Free Press” and “Fight for the Future” have been targeted in sophisticated spear-phishing attacks.
The EFF is aware of nearly 70 attempts to steal the credentials of net neutrality activists between July 7 and August 8. The attacks, believed to be the work of a single entity, were designed to steal credentials associated with Google, Dropbox, LinkedIn and other online services.
At least one account was hijacked and abused to send out more phishing emails to other individuals within the victim organization. The EFF said the attacks did not involve any malware and it’s unclear what the attackers had hoped to accomplish once they obtained account credentials.
The attackers used various tricks to lure targeted individuals to their phishing pages. In some cases, they sent out fake LinkedIn notification messages that contained links to Gmail phishing sites. Other messages showed that the attackers had studied their targets – Fight For The Future Campaign Director Evan Greer was targeted via an email asking about her music, and another employee received malicious emails purporting to be from her husband.
The hackers also sent emails that appeared to notify a user of comments to their YouTube video, ones with clickbait headlines referencing net neutrality and tabloid topics, and fake subscriptions to adult websites.
The EFF has not attributed these attacks to a specific actor or country, but the organization did point out that the individuals behind the attacks appear to be working from an office, with Saturday and Sunday off, during working hours associated with the UTC+3 – UTC+5:30 timezones.
These timezones cover countries and regions such as Eastern Europe, Russia, part of the Middle East, and India. However, it’s worth noting that Saturday and Sunday are not weekend days in many Middle Eastern countries. The IP from which the one compromised account was accessed did not provide any clues as it was associated with a VPN service.
“The sophistication of the targeting, the accuracy of the credential phishing pages, the working hours, and the persistent nature of the attacks seem to indicate that the attackers are professionals and had a budget for this campaign,” the EFF’s Eva Galperin and Cooper Quintin said in a blog post.
However, the EFF does not believe the campaign has been carried out by a nation-state actor.
“Although this phishing campaign does not appear to have been carried out by a nation-state actor and does not involve malware, it serves as an important reminder that civil society is under attack. It is important for all activists, including those working on digital civil liberties issues in the United States, to be aware that they may be targeted by persistent actors who are well-informed about their targets’ personal and professional connections,” the EFF said.
Related: Amnesty Warns of Phishing Attacks on Qatar Activists
Related: Researchers Devise Hopeful Defense Against Credential Spear Phishing Attacks
Related: Could Killing of FCC Privacy Rules Lead to End of Net Neutrality?

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
