Phishing attacks against journalists

The Oxford dictionary defines phishing as:

“the activity of tricking people by getting them to give their identity, bank account numbers, etc. over the Internet or by e-mail, and then using these to steal money from them”

Phishing is a form of cybercrime perpetrated with various motives and against different unsuspecting victims. Using this method, the attackers reach out to the victims through mediums such as emails, text messages and even phone calls, posing as legitimate entities such as businesses, organisations or individuals luring them into clicking links or downloading attachments carrying malware with the purpose of hacking the victims’ devices. Once the device is compromised, the attackers are able to get their hands on sensitive and key information of the victim which they use for different motives such as money, blackmail, spying on and even tracking down the victims.

Journalists are particularly at risk because of their critical work and since the adversaries range from governments, corporations to private persons, different means can be deployed to have the targeted journalists’ devices compromised for various goals, the extent of which could be endangering their lives.

As International Journalists Network notes to the particular vulnerability of journalists: “Unless they cover technology, most journalists probably could not explain exactly how a cyberattack happens.”

The information that can be stolen from journalists includes contact lists, text messages, photos, emails, and documents from their devices. There are many notorious phishing products the adversaries may have access to and many of them can easily enable them to even remotely turn on the microphone, camera, record and retrieve all this information without the victim even suspecting it.

There are several methods deployed to target journalists and as Google warned in 2020, the hackers are going to the length of posing as journalists to gain trust and hack other journalists. As you’ll see in our following bite-sized training videos, the typical modus operandi for these attackers is to a) instill a sense of urgency, b) making them take an action based on that sense of urgency – exploiting the extremely busy work life of a journalist.

What can journalists do against phishing?

There are many organisations specialising in the fields of digital as well as physical safety for journalists. Many list resources and tools which can be used to prevent phishing attacks. RSF Digital Helpdesk’s bite-sized training series introduces journalists to basic digital security self-help techniques with focus on phishing attacks in this one.

You can train yourself online against phishing attacks. You can follow RSF Digital Help Desk’s bite-sized course on phishing here:


1. Introduction

Taking advantage of busy schedule of journalists, hackers operate by inculcating a sense of urgency as well as the need to take an action. Oftentimes, the things the phishing material they would send will have tell-tale signs such as the content being too good to be true.

More on how the phishing attackers operate is discussed in a quick overview video below:

As you saw in the video, how the attackers are getting smarter by the day. The techniques, tricks and steps they use, even in their primitive forms, can spell trouble for the not so advance users. One notorious and very common way is to fake package delivery pages of prominent brands. The tracking nature of those pages and realistic looking visuals are enough to intrigue unsuspecting eyes even if they are not expecting a package to be delivered. Similarly, the decoy alerts forging real prompts by tech giants meant to alert people if their account has been compromised. These real-looking prompts also lead people into believing that their accounts may have been hacked and that they need to change their passwords. Thinking they are changing their passwords, they end up entering their existing passwords into a form they believe is the password change page of a famous tech service. Especially relevant for journalists are the so called interview requests. This works a lot of the times because it’s nothing out of the ordinary for a journalist to receive interview requests in their inbox.

The video also introduced you to some of the types of phishing attacks before preparing you for the tools and techniques of your own which you can use to defend yourself against these attacks. You can go back to the overview page for the actions you can take to prevent phishing attacks.

2. How serious is the threat

One common mistake many journalists make, and we also saw from the cases discussed in the first video, is that they underestimate how real the threat can be. If you’re also wondering the same thinking why bother, our next training video will offer some perspective.

Most of the times and owing to the busy schedules in their newsrooms, many journalists may not even realise how imminent the threat might be and may fail to take it seriously. But as you saw in the video and the cases above, there are dramatic consequences – including costing you money, a career and doxxed – of phishing attacks which is why they are to be taken very seriously.

The video also introduced a basic understanding of the website URLs, including what domain names are and how they work.

The domain name is a part of the website’s URL. It is separated by dots into levels and you read them from right to left: The top-level domain, the second level domain… and possibly more subdomains. The most important ones the top-level and the second-level domains.

It’s one of the favourite things for an attacker to exploit that and they do that by inserting negligible typos to register imposter URLs and domain names.

3. OAuth Phishing

The OAuth or Open Authentication is a way for tech giants to deploy a some-what universal login system. This functionality not only allows people to login on to the third-party apps and websites without having to sign up there, but is also used to access contents of your accounts from within a third-party app without having to share your login details with the app. One example of this is the Email Apps. In this kind of relatively advanced phishing, the OAuth mechanism of tech giants that work in the background is exploited. If successful, the attacker doesn’t even need your password to get into your account, stealing the access token will suffice.

As you saw in the video above, the stealthy nature of OAuth phishing could put unsuspecting eyes at a special danger. What makes it particularly dangerous is that you login to the real login page and not a decoy one. That despite the sophisticated functioning of the app in the backend, the hackers find a loophole and steal the access token – enough to get into your account.

Whereas OAuth as technology offers various advantages such as logging into a third party service using your existing account by a major service provider instead of separately having to register on every website. This of course solved the problem of third party apps having to store your username and passwords to grant you access.

The video also mentioned real-life consequences of falling to the OAuth phishing attacks.

4. HTML Phishing

With evolving technologies, hackers have also evolved and have found news ways of getting to their targets. One such method is HTML phishing. The most widely used form of html phishing is to hide real destination URL of clickable material on an HTML page or an email. The unsuspecting eye will click the link believing they are being sent to the website they intend to go to but in reality they will land on a phishing page without even knowing about it.

Part 1

Part 2

As you saw in the video, the go-to mode of attack in html phishing is by obscuring the real destination of the link you’re presented to click. While from appearance it might look like the link you want to go to, but when you click on it, it might lead you to compromising your accounts. It’s not difficult to even trick web browsers’ destination reveal features upon hovering using the mouse cursor.

The link-masking and HTML technologies enable much of the important functionalities but in the wrong hands with sneaky intentions, they are enough to rob you of your resourceful online accounts.

5. Email Phishing

The examples that we featured in the beginning of this series show much of the phishing taking place via emails. This might have left you wondering if anyone can send an email from anyone.

As you saw in the video, the most commonly, or the rookie way is to just create a new email address under the name of a person you might know well. It isn’t very difficult to register a new email address under any name on one of the free email address services like Gmail.

It’s a no-brainer for them to exploit the fact that most email clients by default display only the names of the sender and not the full email address.

And what if your adversary is not a rookie hacker after all but someone with a more sophisticated approach and tools to get you. We know that even an entire email address can be spoofed.

6. Spear Phishing

Spear phishing is a specialised form of phishing attack where extreme social engineering practices are deployed to trick the victim into giving up their information. The adversary in such attack goes to extra length to learn about the victim – including routines in real life, colleagues, friends and even relatives – trying to find vulnerability and then tricking the victim into believing the message they received is indeed from the person they deal with on a regular basis and can trust.

7. Browser in the Browser (BITB) Phishing

A relatively new form of phishing attack is called the Browser in the Browser (BITB) attack. A relatively simple yet very effective form of attack where a fake browser window can mimic a real browser window seamlessly tricking the targets into believing they are typing their login credentials into a new browser window. Theoretically, as simple as this method of attack is, the solution is theoretically equally simple. You can avoid this by dragging this apparent new pop-up window and if it doesn’t drag outside of the main browser tab, that is your cue that it is not a real pop-up window and you should close the main tab immediately.

More on this as well as a quick demo can be viewed here:

Recap of things you can do

We have compiled a summary of our recommendations discussed in the bite-sized training videos to equip you to fight everyday phishing attacks.

Research into the sender:

This research can include, for example, googling contents of the email or the sender’s true email address. It’s highly likely that other people have been the targets too if this is a known scam.

Use a second medium:

This cannot be emphasised enough. When you receive a suspicious email from a sender you know, your best bet more than any technical solution is to double check with the sender using a second medium, for example a phone call or SMS, and ask if they really sent it.

Check URL of the website:

If despite avoiding it you ended up on a page asking you for your login details, you should check the URL of the website. The giveaways are usually typos and misspellings in the URL to mislead the users.

Type it manually:

If you don’t know how you ended up on a login page, it’s always best to close it. And if you intend to login to that account, type the login URL into the address bar manually or google it.

Use URL de-shorteners:

Hiding real destination URLs through URL shorteners is another favourite technique used by the attackers. If you come across a shortened URL and you’re not sure where it leads to, you don’t have to click it. There are services called URL de-shorteners out there that would do it for you and give you the un-shortened and real destination link. Using the URL de-shortener services, you can find out the real destination without having to click it yourself.

Some general digital security tips can come in handy also in case of phishing attacks. Some of these tips are:

Keep software updated:

It’s crucial to keep the firmware and apps on your devices updated. Equally critical is not to use devices that no longer receive firmware or security updates by the manufacturer. The reason for this is that it is relatively very easy for the attackers to find exploits in an old piece of software. And since it’s no longer supported, the manufacturer does not have to provide a fix such as a patch through an update, leaving the user at an increased risk.

Use 2 Factor Authentication:

This general digital security tip is very handy to prevent phishing attacks as well. You should enable 2 factor authentication (2FA) for your main accounts, ideally via authenticator apps. If in an odd chance the attacker manage to get hold of your password, they cannot immediately get in because of the 2 factor authentication. Though not fool-proof, 2FA is another layer of protection which can go a long way in protecting you against phishing attacks. You can view our digital security training video on the topic of 2FA.

Password management:

It is also a good idea to invest time in learning what makes a good and strong password and how you can stay on top of securing your passwords using tools like password managers. Watch our digital security training video on the topic of Account Security here.

There are a number of other resources you can follow.

The Totem Project:

There are also multiple external projects where easy trainings material is available which once can use to self-learn how to arm themselves at their own pace. One such project where you can take these trainings for free is the Totem Project. Check their training on phishing attacks website here.

Take tests:

There are also phishing tests/quizzes available online which you can use to self-test yourself and see if you can detect the phishing attacks yourself. Google is one of the third party services which offer these tests for free. You can take the test here and see if you can self-detect phishing attacks.

Go beyond:

It is always a good idea to go the extra mile and train yourself better than what a bite-sized course can offer. Another one of the courses you can take is by Amnesty International’s MOOC which take about three weeks to finish. You can access this course here.

to top