[liberationtech] You Only Click Twice

Ronald Deibert r.deibert at utoronto.ca
Wed Mar 13 05:55:34 PDT 2013 

Dear LibTech

I am pleased to announce the Citizen Lab's latest publication, "You Only Click Twice: FinFisher's Global Proliferation," authored by Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton.

https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/

Bloomberg:
http://www.businessweek.com/news/2013-03-13/gamma-finspy-surveillance-servers-in-25-countries

Huff Post
http://www.huffingtonpost.com/2013/03/13/finspy-spyware-activists_n_2864579.html

Summary Below

You Only Click Twice: FinFisher’s Global Proliferation
March 13, 2013

Authors: Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton.

This post describes the results of a comprehensive global Internet scan for the command and control servers of FinFisher’s surveillance software. It also details the discovery of a campaign using FinFisher in Ethiopia used to target individuals linked to an opposition group. Additionally, it provides examination of a FinSpy Mobile sample found in the wild, which appears to have been used in Vietnam.

Summary of Key Findings

We have found command and control servers for FinSpy backdoors, part of Gamma International’s FinFisher “remote monitoring solution,” in a total of 25 countries: Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam.
A FinSpy campaign in Ethiopia uses pictures of Ginbot 7, an Ethiopian opposition group, as bait to infect users. This continues the theme of FinSpy deployments with strong indications of politically-motivated targeting.
There is strong evidence of a Vietnamese FinSpy Mobile Campaign. We found an Android FinSpy Mobile sample in the wild with a command & control server in Vietnam that also exfiltrates text messages to a local phone number.
These findings call into question claims by Gamma International that previously reported servers were not part of their product line, and that previously discovered copies of their software were either stolen or demo copies.
Ronald Deibert
Director, the Citizen Lab 
and the Canada Centre for Global Security Studies
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
http://deibert.citizenlab.org/
twitter.com/citizenlab
r.deibert at utoronto.ca



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130313/1b340849/attachment.html>

More information about the liberationtech mailing list