Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, Canada focusing on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security, is reporting on a targeted attack using spearphishing that appears to be the work of the Islamic State of Iraq and Syria (ISIS). This attack was targeted at Raqqah is being Slaughtered Silently (RSS), a Syrian group of citizen journalists which focuses its advocacy on documenting human rights abuses by ISIS elements occupying the city of Ar-Raqah.
The attack was the classic spearphishing cyberattack – an unsolicited e-mail containing a download link to a decoy file. The file contained custom malware that profiled the victim’s computer and sent the victim’s IP address and computer profile information to an e-mail account under the attacker’s control. The attackers used a gmail account to send the attack. The bait was classic military deception in which the attackers leveraged the victim’s preconceived notions. In this case, the attackers played on the efforts of RSS to inform the world of ISIS atrocities:
Citizen Lab speculates that the attack message mentions Canada to exploit the victim’s knowledge of the large Syrian community in Canada. Note the clever attempt to lure the victim into compromising his Facebook account so that his identity can be determined. There is nothing in this message to warn the victim that this is a cyberattack — it appears to come from supporters of RSS.
Citizen Lab notes:
ISIS or its supporters clearly have a strong interest in the (rudimentary) location tracking of the members of RSS that this malware provides. Internet connectivity in Raqqah is extremely limited, and some of it is under ISIS control. Knowing the IP address of a target could quickly narrow down targets to specific locations, and specific Internet services, or Internet cafes in Raqqah. Given that the identities and locations of RSS members are closely guarded, such information would hold significant intelligence value for ISIS. Armed with this kind of information, ISIS could physically harm people within Raqqah (and it is also possible that they have the ability to operate in some capacity in border areas of Turkey).
This is just one more example that the technology of targeted spearphishing attacks is psychology, not computer science.