
U.N., Unicef, Red Cross Under Ongoing Mobile Attack - danso
https://threatpost.com/un-unicef-red-cross-mobile-attack/149556/
======
IfOnlyYouKnew
If anybody has doubts how bad this could end for aid workers, here's an
article about their current situation in Syria[0].

Summary: they are somewhat certain to die when Assad's army takes over
northern Syria and manages to identify them as aid workers, even remotely
connected to anything we would consider "good". The agencies are trying to
burn all their local paperwork to protect their employees' identities.

[0]:
[https://www.theatlantic.com/international/archive/2019/10/am...](https://www.theatlantic.com/international/archive/2019/10/america-
policy-syria-deadly-end/600682/)

~~~
jammygit
> Throughout eight years of civil war, Syrians who tied their fortunes to the
> changing whims of American policy have been systematically arrested, killed,
> and driven from the country.

> First it was protesters chanting for democracy—many took encouragement from
> Barack Obama’s statement in the summer of 2011 that the country’s dictator,
> Bashar al-Assad, should step down. But the U.S. government looked on as
> protesters were killed or disappeared into the regime’s teeming prisons.

It’s as though the US government is on a mission to prove they should not be
trusted. I hope most can get out of there somehow, this is very unfortunate

~~~
jacquesm
> It’s as though the US government is on a mission to prove they should not be
> trusted.

I would consider that mission solidly accomplished at this point.

~~~
irrational
Seriously, does anyone in the US or outside the US, in government or outside
of government, anywhere in the world trust the US government? I seriously
doubt it.

~~~
IfOnlyYouKnew
Yes, of course people usually trust the US government. We do so every time we
get on a plane, keep money in USD, or run Windows, MacOS, etc.

That doesn't mean the US was flawless before Trump. It had its flaws, just
like any other government. But generally, they were trusted in scenarios like
above, but also, for example, by diplomats to at least try to keep their word
even across administrations, or by travellers not to be asked for bribes at
the border.

People have become rather cynical and won't believe me, but still it is worth
mentioning: before Trump, politicians, including the presidents, almost never
_lied_. On occasion, they would try but fail to make good on a promise. Or
they would err, or go to great lengths to avoid answering a question.

But actual _lying_ , as in saying something wrong and repeating it even after
it was pointed out to be wrong? It barely ever happened.

~~~
jdietrich
_> Yes, of course people usually trust the US government. We do so every time
we get on a plane, keep money in USD, or run Windows, MacOS, etc._

Trust isn't binary, nor does it exist on a single dimension. I might use the
products and services of US companies, I might conditionally trust the
judgement of some US government bodies, but there's always a heavy set of
caveats.

I wouldn't trust a drug that had been approved by the FDA until it had also
been approved by the European Medicines Agency. I would trust a NIST standard
for metrology, but I certainly wouldn't trust a NIST standard for
cryptography. I wouldn't ever allow a European customer's data to be stored in
the US, or to transit US networks in plaintext. I trust US-made hardware and
software about as much as Chinese-made hardware and software, which is to say
I assume it's heavily backdoored. I haven't ever trusted the words of a US
administration, red or blue; I do broadly trust that Merkel or Macron will
mostly keep their word and mostly honour international law.

------
vikingcaffiene
> They noted that mobile web browsers also unintentionally help obfuscate
> phishing URLs by truncating them, making it harder for the victims to vet
> the legitimacy of the pages.

JFC... I never understood why that "improvement" was necessary in the first
place. Now its causing real harm out in the world. Kind of infuriating.

~~~
appleiigs
It’s the same with email and email phishing. They should show the full email
address.

I think it’s MS Outlook that only shows the name in email chain when
forwarding. So once the first person tricked forwards the email, info is lost
and prevents future readers noticing the phishing email address

~~~
joecool1029
>I think it’s MS Outlook that only shows the name in email chain when
forwarding.

I complained to support about Outlook iOS doing this, not just for
forwarding... but all received emails display only the name. I receive AppleID
phishing attacks constantly to my old hotmail account, Microsoft helpfully
sends all them to my inbox and Outlook shows them as from 'Apple' unless I
click the sender name and then it shows something like
totallynotlegit@paypalappleidscams.tk. Their link scanner is effective around
50% of the time. It's not good enough.

Microsoft does not consider this a bug or a threat in any way. I have been
active about this on social media and have had my screenshots and complaints
picked up by largish accounts like @swiftonsecurity.

At this point Microsoft is complicit with the phishers. Oh well, not the first
time an entire industry thrived off their lack of security.

~~~
toast0
They do this on desktop Outlook as well. It's really great when you work at a
company where two people have the same name, and you have to click seven
buttons to see who sent the mail. Or you get added to a forward chain and you
really can't tell.

------
rkagerer
_They noted that mobile web browsers also unintentionally help obfuscate
phishing URLs by truncating them, making it harder for the victims to vet the
legitimacy of the pages._

I hate when my phone / browser truncates or hides URL's.

------
jakobdabo
Why is this article so focused on TLS/SSL (8 mentions) certificates? They
present it as like having a certificate is something hard or unique.

~~~
ahje
You know how we've spent four years training users to expect https, by
deprecating http in the major browsers? That's resulted in many, many people
believing the padlock icon means the site is "safe". I expect that applies to
the person who wrote the article as well.

------
WarOnPrivacy
> There are two domains that are hosting the phishing content, live since
> March 2019. The associated IP network block and Autonomous System Number
> (ASN) are known to have hosted malware

At which point the article fails to include the one actionable piece
information - the IP blocks and ASNs.

It's so like the tech press to write a comprehensive article that omits the
only info that could actually help.

~~~
dependenttypes
It feels like you are supposed to blindly believe them, and if you are left
with questions, well, you are just a nerd so they don't care.

------
dmix
The original source has more information and wider list of targets (UC San
Diego, Heritage Foundation, United States Institute of Peace):
[https://blog.lookout.com/lookout-phishing-ai-discovers-
phish...](https://blog.lookout.com/lookout-phishing-ai-discovers-phishing-
attack-targeting-humanitarian-organizations)

------
JohnJamesRambo
What kind of dirtbag would choose those organizations to attack? That’s the
lowest of the low.

~~~
dmix
They've always been intelligence targets. Any organization closely tied to
regional conflicts, and therefore intelligence agencies and the military, is
going to be a target.

Red Cross and Unicef show up everywhere there's a serious conflict. Often the
very first western organizations there. The job of most intel agencies is to
keep their governments up to date on those conflicts. Especially one involved
in plenty of global conflicts like Russia.

I'm sure the US embeds agents with them all the time.

~~~
dmurray
Also good for outrage, the main ingredient of modern media. Once the enemy
fires on a Red Cross branded outpost, they must be the bad guys, no matter how
many of the doctors were actually intelligence operatives.

Using NGOs like this should be as unacceptable as using outright human
shields, but as always, it's different when the perfidious foreigners do it.

~~~
tveita
> Once the enemy fires on a Red Cross branded outpost, they must be the bad
> guys, no matter how many of the doctors were actually intelligence
> operatives.

I mean, yes? At what number of intelligence operatives would firing at Red
Cross workers be a good thing?

> Using NGOs like this should be as unacceptable as using outright human
> shields

Yes. But, like human shields, firing on them with disregard will indeed make
people think you're the bad guys.

------
dmix
> The unusual aspect of the campaign is that it identifies mobile devices;
> once detected, it then logs keystrokes in real-time as the user enters them
> into the phishing page.

You don't even have to hit submit, hopefully not autofilled.

~~~
joveian
Auto password fillers don't fill on the wrong site; they are actually a great
defense against this kind of thing if you get it right the first time and then
are very suspicious if it ever doesn't auto fill.

IMO, browsers should have site bookmarks to replace EV certificates, where you
can bookmark a site and give it a name and the name appears where the EV
company name used to.

