Egypt government used Gmail third-party apps to phish activists

Cairo government targeted local human rights defenders, media, and civil society organizations' staff.

Members of Amnesty International say that Egyptian authorities are behind a recent wave of spear-phishing attacks that have targeted prominent local human rights defenders, media, and civil society organizations' staff.

The attacks used a relatively new spear-phishing technique called "OAuth phishing," Amnesty experts said.

OAuth phishing is when attackers aim to steal a user account's OAuth token instead of the account password.

When a user grants a third-party app the right to access their account, the app receives an OAuth token instead of the user's password. These tokens work as authorization until the user revokes their access.

Amnesty investigators said that in the recent spear-phishing campaign that targeted Egyptian activists, authorities created Gmail third-party apps through which they gained access to victim's accounts.

Victims would receive an email that looked like a legitimate Gmail security alert...

phishing-page-1.jpg

Image: Amnesty International

, but when they clicked the link, they'd be redirected to a page where a third-party app would request access to their account.

phishing-page-2.jpg

Image: Amnesty International
phishing-page-3.jpg

Image: Amnesty International

Once the victim granted the app access to their Gmail account, the user would be redirected to the account's legitimate security settings page where they'd be left to change their password.

Even if the victim changes their password, at this point, the phishers would still have access to the account via the newly acquired OAuth token.

This spear-phishing campaign wasn't limited to Gmail alone, and according to an Amnesty International report, the attackers also targeted Yahoo, Outlook and Hotmail users.

Furthermore, the list of targeted victims targeted by this recent OAuth phishing campaign "had significant overlaps" with another spear-phishing operation that took place in 2017, also linked to the Egyptian authorities, Amnesty experts said.

The spear-phishing campaign is no surprise. In the past two years, the Egyptian government has cracked down on civil liberty advocates, NGOs, and journalists.

Egyptian authorities recently passed a repressive NGO law, started criminal investigations into foreign-funded NGOs, at least 30 human rights NGO staff and directors have been banned from travel, and seven NGOs and 10 individuals have had their assets frozen.

Related cyber-security coverage: