nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Seized: Fake EFF .org linked to hackers hitting NATO, White House PCs

Digital rights group takes down Pawn Storm base

By Kieren McCarthy, 18 Nov 2015

The Electronic Frontier Foundation (EFF) has been awarded control of its namesake domain, which was being used to install malware on people's computers.

The EFF used the official uniform dispute resolution process (UDRP) run by UN agency WIPO to take control of ElectronicFrontierFoundation.org – the EFF's real website is at eff.org.

The registrant of the bogus .org is named as Shawanda Kirlin of Bali, Indonesia. The EFF assumes that is a fake name.

In any case, Kirlin failed to respond to the official complaint that the website breached the digital rights group's trademark, nor did she respond to accusations her .org was spreading malware through a Java vulnerability. And so, therefore, the domain will default to the EFF.

The dodgy .org is still live as we write since it takes a little over a week for the transfer to be enacted. The site still hosts malware, although it has been flagged by Google Chrome and other browsers as dangerous – so you are likely to be given a warning not to proceed if you are foolhardy enough to browse by.

The domain was registered in August, and the EFF was alerted to the software nasty hosted on it soon after. Interestingly, the website and malware appears to be a part of the allegedly Russian government-backed Pawn Storm campaign.

As we have previously covered, the hacking project has exploited software security holes to infect devices and systems including Apple iOS 7 iThings, and equipment at French TV channel TV5.

In October, the Pawn Storm gang leveraged a Flash vulnerability to target the team investigating the doomed Malaysia Airlines MH17 flight. The hackers previously had NATO, the US White House, and American defense contractors in its sights.

In the EFF's case, the bogus .org domain was used in a spear-phishing attack: people received emails with a link that redirected to a URL in the form "electronicfrontierfoundation.org/url/{6 random digits}/Go.class", according to the EFF's own investigation.

That URL pointed to an applet that exploited a Java vulnerability to download and run a program on the local machine. On Windows, the payload (Sednit) downloads a DLL file which connects to a command-and-control server to commandeer the PC. The program tries to identify whose machine it has infected, and also runs a keylogger.

In all, it was a sophisticated and dangerous attack. But in a few days this particular outlet will be shut down. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing