The attacks used a relatively new technique of spear-phishing called “OAuth phishing,” said experts from Amnesty. Phishing OAuth is when attackers aim to steal the OAuth token of a user account instead of the password of the account. When a user grants the right to access their account to a third-party app, instead of the user’s password, the app receives an OAuth token. These tokens are used as authorization until the user cancels their access. Amnesty investigators said authorities created third-party Gmail apps through which they gained access to victim accounts in the recent spear-phishing campaign that targeted Egyptian activists. Victims would receive an email that looked like a legitimate security warning from Gmail… If you clicked the link, you would be redirected to a website where a third party app would request access to your Account.

Image: Amnesty International Once the victim has accessed the app to your Gmail account, the user would be redirected to the legit security settings page where you would be left to edit your password. Even if the victim changes its password, phishers will still have access to the account on the newly purchased OAuth token at this point.

Image: Amnesty International This spear-phishing campaign was not limited to Gmail alone, and the attackers also targeted users of Yahoo, Outlook and Hotmail according to an Amnesty International report. Moreover, Amnesty experts said that the lists of targeted victims targeted by this recent OAuth phishing campaign “was significantly overlapping” with another spear-phishing operation in 2017, also linked to the Egyptian authorities.

Image: Amnesty International The campaign for spear-phishing is no surprise. The Egyptian government has cracked down on advocates of civil liberty, NGOs, and journalists over the past two years. Recently, Egyptian authorities passed a repressive NGO law, launched criminal investigations into foreign-funded NGOs, banned travel for at least 30 human rights NGO staff and managers, and frozen their assets for seven NGOs and ten people.

The government of Egypt used third party Gmail applications for phish activists Cybers Guards - 81The government of Egypt used third party Gmail applications for phish activists Cybers Guards - 30The government of Egypt used third party Gmail applications for phish activists Cybers Guards - 80