Safeena Malik, a convincing fake persona who has attempted to steal Google accounts of activists and journalists working on Qatar’s migrant worker rights issues. Altered image from her Facebook and Google profiles.
For someone who looks like a millennial hipster in her Facebook profile picture, a nylon-string acoustic in hand and all smiles in a park, Safeena Malik claims to have some sensitive secrets. Last month, in a message to the International Trade Union Confederation, a Brussels-based labor union federation that boasts 168 million members, Malik offered research on the funding of terrorist group ISIS. Last year, she promised material on Qatar worker rights to an investigative journalist, in light of reports condemning the treatment of migrants helping build stadiums for the FIFA 2020 World Cup. That same year, she solicited assistance for a presentation on human trafficking, sending a PDF to activists she believed could contribute.
In all cases, she asked the recipient to open up a Google Docs link. But anyone who clicked through was in danger of having their digital lives exposed: each was a phishing attempt. The link led the target to a convincing but fake Google login page. As soon as credentials were entered, the target was taken to a Google-hosted document that appeared authentic. Meanwhile, in the background, the victim’s Google username and password were sent back to Malik’s puppeteers.
A convincing Google phish from the Safeena Malik snoops.
When some targets’ suspicions were aroused, they alerted human rights organization Amnesty International, whose cybersecurity experts started to investigate. It became apparent by late 2016 that Safeena Malik was an elaborate fake. Her purpose? To spy on activists, journalists and trade unions working on human rights issues across Qatar, Amnesty claims. While one technical link indicated the hackers were based in Qatar, the NGO was unsure just who was behind the fraud. The state vehemently denied any involvement.
What’s clear, though, is that Malik marks another worrying evolution in the murky history of web-based fakery. As FORBES revealed in December, an alleged surveillance operation targeting the same Qatar human rights community as this latest broadside used a front NGO called Voiceless Victims to silently obtain location and IP address information from targets. In these fresh attacks, which Amnesty has dubbed Operation Kingphish, the hackers have created a convincing persona who tried, and in some cases succeeded, in breaking into the Google accounts of activists and journalists, potentially grabbing reams of their sensitive contact and personal information along the way.
“What sets apart this particular campaign is the attention to details in making sure the attack is as credible as possible. The persistent engagement over social media and effort spent in luring people into a phishing attempt are also remarkable,”said Claudio Guarnieri, a cybersecurity researcher at Amnesty. “All these aspects combined made the attacks really hard to distinguish from regular behavior, and only a trained eye would be able to spot the subtle differences to the genuine Google services.”
The creation of a dangerous persona
In the course of the last two years, the Malik persona has attempted to steal Google logins from as many as 38 different targets. Amnesty and FORBES are keeping the names of those targeted anonymous due to concerns about the impact of revealing identities. The ITUC agreed to be named as a target, noting that it doesn’t believe its workers’ Google accounts were successfully breached.
Over that time, to give her some some credibility with her prey, Malik developed an elaborate online presence. Since first emerging online in 2014, Malik built up a LinkedIn profile with more than 500 connections and hundreds of endorsements. Guarnieri believes Malik bought friends and contacts, as her Google Plus account linked to various services for boosting online profiles, including search engine optimization and paid-for comments, amongst hundreds of adverts for a cornucopia of products like a WhatsApp hacking tool, an app to spy on loved ones and massage therapy.
Her profile pictures show a young, cosmopolitan woman; Amnesty believes they were stolen from a real person, but Google image searches returned no matches. To whom the pictures belong remains unclear.
She was active across Facebook and Google Hangouts, communicating regularly with several of the victims Amnesty identified, often for many months. The messages would land at the same time as a separate phishing attempt, according to the Amnesty report, indicating the attackers were attempting a two-pronged approach.
“That persona tried to establish contact with one of our staff members in the middle of 2016, sporadic attempts to establish a relationship. It looked to us like a pretty classic phishing attempt,” said an ITUC spokesperson, who requested anonymity. “It’s consistent with a pattern of what we’ve seen with trolling and phishing and hacking that’s been going on.” As reported in December, ITUC told FORBES it was targeted by Voiceless Victims, which Amnesty claimed in December to have carried out an extensive surveillance campaign on human rights activists working on Qatari worker rights issues. The ITUC has been outspoken on Qatar’s treatment of migrant workers and called for the World Cup to be moved elsewhere as a result of the alleged violations.
There were slip ups along the way to developing the character, however. A glaring red flag could be found on her LinkedIn, which appeared to have been almost entirely copied and pasted from a real user’s account. Malik’s descriptions of her work experience even amateurishly left a reference to that legitimate LinkedIn user. The real owner of the account said they’d reported the issue via LinkedIn’s internal function, once in 2015, then again in 2016 and again after Forbes’ disclosure. Her employer, marketing company Dentsu Aegis Network, also confirmed no Safeena Malik had ever worked at the company. LinkedIn confirmed her account was fake and had deleted it.
Attempts to contact Malik – across LinkedIn, Facebook and her Google account – were fruitless. Facebook said it couldn’t comment on specific accounts. Google hadn’t responded to a request for comment.
Qatar: Not us!
Amnesty found a link back to Qatar, thanks to one particularly revealing IP address. Amongst the IP addresses used to login to compromised Google accounts was one that ran over an internet connection provided by Ooredoo, an Internet Service Provider with headquarters in Doha, Qatar.
But Amnesty was clear it couldn’t guarantee attribution: “We don’t have conclusive evidence that could implicate any particular governments or individuals as being responsible for these attacks,” it wrote in its report. “But the fact that the campaign specifically targets individuals active on human rights issues in Qatar, makes us believe that it might be a state-sponsored or affiliated actor.”
The ITUC spokesperson said that the timing of the attacks, just as with Voiceless Victims, was suspicious: they were launched around quarterly meetings of the U.N. International Labour Organization. The ILO has been investigating possible breaches of international law by Qatar and has promised to launch a formal probe if Qatar didn’t continue to improve conditions for migrant workers.
But Qatar, in response to a letter from Amnesty, strongly denied the accusations. It also denied any involvement in any fake NGO, as reported on FORBES last month, when an organization called Voiceless Victims was said to have carried out an extensive surveillance campaign on real human rights activists working on Qatari worker rights issues.
“The government of Qatar does not sponsor fake NGOs or phony Google hangouts,” the Qatar official wrote. “We consider such practises to be unethical and would regard them as a clear violation of our government’s principles and values.” They went on to say that the fakes were “damaging Qatar’s reputation,” adding that the country was interested in who was behind the facades and how they could be stopped.
As with Voiceless Victims, unmasking the real perpetrator has thus far proven impossible. That dedicated fake profiles are increasingly being used to spy on activists and journalists is, however, undeniable.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.