It seems like the government of Tunisia have been basically phishing their users with fake versions of login pages for Facebook, Gmail and Yahoo!. It only works for users that aren’t using the https:// AKA SSL version of the sites, but then again who knows how much coverage FireSheep got in the Tunisian media.
Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation’s authoritarian government, according to security experts and news reports.
Danny O’Brien, internet advocacy coordinator for the Committee to Protect Journalists, told The Register that the script was most likely planted using an internet censorship system that’s long been in place to control which pages Tunisian citizens can view. Under this theory, people inside Tunisian borders were led to pages that were perfect facsimiles of the targeted sites except that they included about 40 extra lines that siphoned users’ login credentials.
It seems to be a very wide-spread attack (which effects the whole country) when in fact the targets of the attack are only a select group (anti-government protesters and organizations).
The ‘unknown parties’ which have carried out this attack have used the stolen Facebook credentials to shut down groups, block page and group administrators and delete/block pages administered by Journalists and Anti-government networks such as TAKRIZ.
It’s a pretty interesting twist on things, we’ve heard of governments blocking sites like Facebook an we’ve heard of cyber-terrorism where governments target other countries….but this is the first case I’ve read about a government essentially hacking it’s own citizens!
He said similar phishing attempts targeting Tunisian protestors date back to June, and possibly much earlier.
Although The Tech Herald reported on the rogue scripts three weeks ago, the revelations escaped wide notice until now. On Monday, members of the anti-Tunisian TAKRIZ network warned supporters to stop relying on its Facebook page (at facebook.com/takrizo) after discovering on Friday that all administrative access to it had been suspended.
This is consistent with Danny O’Brien’s findings from earlier this month, which said that unknown parties have used the pilfered credentials “to delete Facebook groups, pages, and accounts, including Facebook pages administrated by Sofiene Chourabi, a reporter with Al-Tariq al-Jadid, and the account of local online video journalist Haythem El Mekki.”
Also on Monday, The Atlantic reported that members of Facebook’s security team first became aware of the mass credential slurp in the days immediately following Christmas, when they began receiving similar reports of mass deletions of Tunisian dissidents’ pages.
There was enough reports to alert Facebook themselves to the problem and they began investigating the issue around Christmas. It was them who realized something very bad was going on amidst one of the worst political upheavals in decades.
By January 5th Facebook found it pretty clear that an entire country’s worth of passwords were in the process of being stolen, they promptly forced all users from Tunisia to SSL connections to mitigate the problem.
Of course the ISP can still downgrade the connection request from SSL to a normal http:// connection, but so far Facebook states they haven’t seen that happen. Also, being the government Tunisia can issue valid, signed SSL certificates and make any site it wants https://.
Source: The Register