From Bahrain To Belarus: Attack Of The Fake Activists

Bahrain - Shutterstock - © Gwoeii

EXCLUSIVE: Activists in Bahrain are being targeted by IP trackers via Twitter, whilst fake domains are causing problems for civil society groups across the globe

Politically speaking, little has changed in Bahrain, especially when compared to its Middle Eastern neighbours where the Arab Spring brought governments to their knees. Whilst opponents of the Bahrain regime are still very much active, their efforts have brought limited disruption to the rule of the al-Khalifa family.

But for activists in the country, certain things have changed in the last year. For one, they are now being targeted by cruder, but possibly more effective attacks over the Internet. Having been hit by plenty of malware in the past, many are now being targeted by IP trackers, says Bill Marczak, a security expert doing research for Bahrain Watch and Citizen Lab whilst working on his PhD studies at UC Berkeley.

He is currently working on an investigation into IP tracking, and a full report will be delivered later this year. According to Marczak, sites like are being used, letting the attacker add IP tracking capability to a link. When that seemingly legitimate URL is clicked by the target, their IP address is sent to whoever created that link. Meanwhile, the victim has no idea what has just happened.

It appears the attackers are masquerading as contacts of Bahraini activists, sending them links to get hold of their IP address, Marczak claimed. He has heard that government officials then visit the relevant ISP, hand over the address and the time of the click, and demand the identity of the IP owner.

Twitter the tool to target activistsBahrain flag - © ruskpp , ShutterStock

Twitter is proving a useful attack platform for a number of reasons. First, it’s easy to create a fake account and send links to people. Second, as has been highlighted by recent events, account hijacking is not too tricky to carry out. Third, it’s easy to impersonate people on Twitter.

One handy quirk for those looking to play copycat is that Twitter’s lower case L’s and capital I’s are rendered exactly the same. So to pretend to be anyone with either of those characters is simple and effective. “We have seen cases where accounts look almost exactly like the legitimate people,” Marczak claims.

Sometimes, the accounts of arrested Bahrainis are being used, Marczak says. “I’m not sure how they get their passwords – maybe they confiscate their devices and then get them from there,” he adds.

“People who have clicked on these links have suffered various types of consequences ranging from having their houses raided and being charged for saying insulting things about the king on Twitter, or losing their jobs.

“It looks like, from our investigation so far, in one case, the government did lock up the wrong person. His only crime was running the Internet connection on which the link was clicked.

“Once things like Facebook and Twitter get a significant following from activists, the government will use it to attack them.”

He did not want to reveal the names of those involved, to protect their identity.

The Bahrain government has taken a hard-line on anti-government protesters, who are planning a major demonstration on 14 August. The movement against the monarchy has at times been brutally repressed, most notably Bloody Thursday, when three protesters died following a raid on their encampments in Manama.

Politicians now want to ban any kind of protest in the capital, and to crackdown on “misuse” of social media”, whilst the government has said anyone taking part in the August gatherings will face the “force of the law”.

The government of Bahrain told TechWeek it was “committed to safeguarding the privacy of its people”.

“We value free speech and this is enshrined in our Constitution. There are established channels for addressing allegations of breach of privacy online or otherwise,” a spokesperson said.

“But the anonymous allegations as presented are too general and vague to permit any sort of investigation and response: there is no date, time, or any sort of identification as to who the perpetrator may be, and further what particular sites and ISP are being referred to in the allegation.”

This IP tracking threat shouldn’t affect those who are savvy about security, those using VPNs or the Tor Browser to hide their IP. But for anti-government activists, or anyone whom the regime dislikes, without adequate protection, IP tracking could cause much grief.

“This demonstrates a disturbing trend, one where repressive regimes are increasingly becoming more technologically sophisticated in how they target those who oppose them,” Eric King, head of research at Privacy International, tells TechWeek.

“Bahrain particularly has been at the forefront of this, using FinFisher and Trovicor [both intelligence gathering software that some have compared to malware], and now this method of IP tracking, to identify, arrest and mistreat those to challenge their authority.”

Faking it

For civil society groups, the problem of fake profiles is becoming increasingly difficult to cope with. Access, a human rights organisation that focuses on protecting digital freedoms, is releasing its first report in the ‘Global Civil Society at Risk’ series on Thursday this week. TechWeek got a peek at what’s inside ahead of the release.

The report looks at a wide range of attacks based on fake domains and social media profiles, and how governments are using them as a basis for cyber attacks or for propaganda purposes. Below shows how the BBC Persian news site was copied to serve up pro-government propaganda. On the left is the genuine site, on the right is the fake domain

Fake domains example 1

Access claims fake domains have successfully taken a significant amount of traffic away from the sites they’re impersonating. It also says many fake sites are serving up sophisticated exploits.

The report picks up on some geographic differences in how civil society groups and media bodies have been targeted in recent years. Attacks largely occurred in Iran, Belarus and Vietnam. In Iran, the main strategy was simply to copy a site and cover it in alternative content. Vietnam saw plenty of sites serving up exploits, and one non-government media organisation had at least nine Blogspot, four Facebook, one Twitter and one Google+ accounts cloned in the hope of spreading malware.

Belarus attacks saw malware and altered content used, as well as what Access calls “telco manipulation”. That’s where the ISP has been told to alter the Domain Name System (DNS) infrastructure, redirect users to a cloned site, so even when users type in the right URL they still get sent to the fake page. It happened repeatedly during the 2010 elections in Belarus, Access claims, when independent news websites were hit on election day itself, even pointing users to false protest locations in some cases.

Typical tricks are used to get people to visit the fake pages, like creating similar URL names or obfuscating URLs via link shortening services. Access has now created a tool to let webmasters check if their sites have been cloned by malicious actors. TechWeek tried it and found one entity had taken a number of similar domains, amounting to variations of, to redirect users to what look like basic scams (a fairly typical trick):

TechWeek Fake Domain Scam

Access is also working on a browser plugin to help protect users from fake domains, which should be complete before the year is up.

Telling the frauds from the fighters

The organisation has been moved to taking such action due to the seemingly inexorable rise of such attacks on activists. These threats, especially where ISPs have been co-opted into delivering malicious content, are also tricky to defend against, even more so when the victim has a limited security budget, Michael Carbone, manager of technology policy, tells TechWeek.

“I don’t think these attacks have been around for a long time – my hypothesis is they came about once state-aligned actors were unable to compromise the web presence of civil society organisations, and so they go to this additional step,” Carbone adds.

“The impersonation of civil society groups online in order to spread false information and malware exists in a grey area between phishing websites, spam, and satire/propaganda in terms of mitigation strategies.

“Its time-sensitive nature makes it incredibly difficult to deal with at a legal/policy level, and because so much of the attack exists on infrastructure out of the control of the target website it is difficult to deal with at a technical level.”

As activists have become increasingly aware of the spear phishing threat, where emails attempt to trick them into downloading attached malware, their enemies have pressed on with simpler measures that have a similar impact. Even the best-funded rights bodies would struggle against such concerted two-pronged attacks.

This article is part of TechWeek’s Cyber Repression Series – check out the first article on attacks stemming from China on spiritual activists and military bodies.

What do you know about Internet security? Find out with our quiz!