Phishing Attack Targets The Guardian's Whistleblowing Site (Sep 16, 2019)
The Guardian’s anonymous whistleblower submission SecureDrop site was targeted with a phishing page in an attempt to harvest information on sources using the service to correspond with journalists. The phishing site was designed to pull the anonymous sources “codename,” which can then be used to impersonate the source and steal information on the legitimate SecureDrop site. In addition to harvesting the “codenames,” the phishing site advertised a malicious “hide my location” Android mobile app that, once downloaded, could monitor a victim's activity, calls, data, location, and texts. As of this writing, the phishing page has been taken down, however those who’ve installed the malicious app may still have compromised devices.
Recommendation: The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware and harvest credentials. All employees should be informed of the threat phishing poses, how to identify such attempts, and to inform the appropriate personnel when they are identified.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.