Researchers say web domains masquerading as activist, health and media groups are used by governments to hack targets

An Israeli company that sells spyware to governments is linked to fake Black Lives Matter and Amnesty International websites that are used to hack targets, according to a new report.

Researchers from the Citizen Lab at the University of Toronto, who worked with Microsoft, issued a report on Thursday about the potential targets of Candiru, a Tel Aviv-based firm marketing “untraceable” spyware that can infect and monitor computers and phones.

One way the company’s spyware allegedly infects targets is through web domains, and the researchers found that the firm’s software was associated with URLs masquerading as NGOs, women’s rights advocates, activist groups, health organizations and news media. Citizen Lab’s research uncovered websites tied to Candiru with domain names such as “Amnesty Reports”, “Refugee International”, “Woman Studies”, “Euro News” and “CNN 24-7”.

[...]

Microsoft’s threat intelligence center, which tracks security threats and cyberweapons, conducted its own analysis and said it found at least 100 targets of malware linked to Candiru, including politicians, human rights activists, journalists, academics, embassy workers and political dissidents. Microsoft found targets in the UK, Palestine, Israel, Iran, Lebanon, Yemen, Spain, Turkey, Armenia and Singapore, the report said.

Microsoft said in a blogpost on Thursday that it had disabled the “cyberweapons” of Candiru and built protections against the malware, including issuing a Windows software update.

There are no legitimate reasons for intelligence firms or their government customers to create websites that impersonate high-profile activist groups and not-for-profit organizations, said Bill Marczak, a co-author of the report, in an interview.

Activists who are targeted may click on links that appear to be from trusted sources and then be taken to a site with innocuous content or redirected elsewhere, he explained. “But this website, which was specially registered for the purpose of exploiting their computer, would run code in the background that would silently hijack control of their computer,” he said.

[...]

The team also identified more than 750 domain names that appeared to be linked to Candiru and its customers. In addition to the sites masquerading as not-for-profits, the researchers found URLs that appeared to impersonate a left-leaning Indonesian publication; a site that publishes Israeli court indictments of Palestinian prisoners; a website critical of Saudi Arabia’s crown prince, Mohammed bin Salman; and a site that appeared to be associated with the World Health Organization.