This report describes “Phish For The Future,” an advanced persistent spearphishing campaign targeting digital civil liberties activists at Free Press and Fight For the Future. Between July 7th and August 8th of 2017 we observed almost 70 spearphishing attempts against employees of internet freedom NGOs Fight for the Future and Free Press, all coming from the same attackers.

The sophistication of the targeting, the accuracy of the credential phishing pages, the working hours, and the persistent nature of the attacks seem to indicate that the attackers are professionals and had a budget for this campaign.

This campaign appears to have been aimed at stealing credentials for various business services including Google, Dropbox, and LinkedIn. At least one account was compromised and was used to send out additional spearphishing emails to others in the organization. Because the compromised account had been neglected for years and contained no recent activity, we suspect the attackers were trying to leverage trust in order to compromise a more recent or high-value account. We were unable to determine what the secondary goal of the campaign was after the credentials were stolen.

The attackers were remarkably persistent, switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time.

Read the full article by Eva Galperin and Cooper Quintin  at Electronic Frontier Foundation