Social engineering: how sneaky malware companies get you to bug your own phone for them

^{_{Please note that by playing this clip YouTube and Google will place a long term cookie on your computer.}}

Computer security researchers report that the secretive surveillance company Gamma Group’s FinSpy malware system is operational in at least 25 countries. We have known about the company's surveillance products since Wikileaks in 2011 published a trove of promotional materials from the Gamma Group, which describe how the company’s tools attack and then feast upon target smartphones and computers. But the new research sheds light into how widespread is their use across the globe.

Bloomberg news reports on the new findings:

The findings, published today by the University of Toronto Munk School of Global Affairs’ Citizen Lab, expand the previously known reach of the product, which has been criticized by human rights advocates as a tool for targeting political dissidents. The increased number reflects the additional months of work by the researchers, and doesn’t necessarily indicate new sales of FinSpy.

FinSpy can be sent to people in spoof e-mails to secretly monitor their computers — intercepting Skype calls, turning on Web cameras and recording every keystroke. Marketed by Gamma for law enforcement and intelligence use, FinSpy sends its pilfered data back to command servers controlled by government agencies.

The hunt for FinSpy’s global deployment was sparked in July 2012 when Citizen Lab research based on e-mails obtained by Bloomberg News showed activists from the Persian Gulf kingdom of Bahrain were targeted by the software.

The spy software, also known as FinFisher, enables government agents to secretly monitor and control phones and computers from afar. In order to install the malware onto a person’s device they must get the target to click on a link or download a file from the device the spies want to attack. One of the ways the companies do this is called “social engineering.”

Claudio Guarnieri, one of the security researchers involved in the project to learn more about what these products do and where they are used, described what Bloomberg news told he and his Citizen Lab colleagues about the targeting of Bahraini activists.

Several Bahrain activists located both in US and Bahrain started receiving emails with suspicious attachments:

They promptly understood there was something shady with them and forwarded them to journalists from Bloomberg who provided the attachments to some researchers, ending up in a thorough analysis of the files.

The emails were sent by the following addresses:

melissa.aljazeera [at] gmail.com

freedombhrtoday [at] gmail.com

mkhalil1975 [at] gmail.com

With the following subjects:

Existence of a new dialogue – Al-Wefaq & Government authority

Torture reports on Nabeel Rajab

King Hamad planning

Breaking News from Bahrain – 5 Suspects Arrested

Each of these emails contained an archive, following are the ones identified so far:

_gpj.Arrested Suspects.rar

King hamad on official visit to .rar

Meeting Agenda.rar

Rajab.rar

The activists targeted by these social engineering campaigns were smart, and they alerted journalists to the issue. Then the geeks got involved and began investigating. Thanks to alll of these people, we know a little more about how these technologies can get inside our electronics.

Gamma Group, the manufacturer of the malware that the researchers found secretly embedded in those files, says that someone else must have duplicated the program and sold it to Bahrain, because the company doesn’t do business with the human-rights abusing US ally. That may be true, but we don’t know.

We do know that the only assurance Gamma Group and companies like it give to the public about how they sell their tools is that they ensure the products are only used for “lawful interception.”

But look around you. Most countries — including the US — have terrible spying laws on the books, allowing all kinds of surveillance practices that may be ‘lawful’ insofar as statutes are concerned, but nevertheless violate core principles of justice and human rights. In the United States, many of them violate the Constitution, too.

So what’s the takeaway from this new report? First it’s that we need more information, and as always, to reform the law so that ‘lawful interception’ could mean something reasonable. That’s a long struggle, however, and people are being targeted right now.

In the near-term, activists should be careful online, and never open attachments in emails or click on links that you aren’t totally sure about. Pay attention to attempts to “socially engineer” you into doing something that could ultimately hurt you. As the case above illustrates, the devil’s in the details.