It all started with an email the woman apparently received from a colleague, saying, "Hi, There is a new site about Gülen movement. It is http://www.hizmetesorulanlar.org/homepage.html. Also you should read an essay which I sent. (passwprd:12345).”
She luckily spotted that the email address of the sender was not the correct one, and didn't open the link, but sent it to digital forensics firm Arsenal Consulting.
What they discovered is that the link didn't really point to that particular URL, but to a poorly designed page in Turkey, where a downloader was waiting to be installed on visitors' computer.
According to Wired, the forensic investigators haven't managed to get their hands on the file that the aforementioned downloader was meant to install on the compromised computer.
Still, the downloader itself serves as a clue about what it could have been, as it is one that has been in the past used to to install Remote Control System (RCS) or DaVinci, a spying tool created by Hacking Team and sold to governments and law enforcement agencies.
As a reminder: Italy-based Hacking Team has recently been dubbed a "corporate enemy of the Internet" by Reporters Without Borders, for having allegedly provided this remote control system to the governments of Morocco and the United Arab Emirates, who purportedly used it to spy on political dissidents and activists.
The spying tool can turn on the compromised computer's microphone and camera, record conversations, text exchanges via Skype, MSN Messenger and other popular IM apps, as well as steal browsing histories.
A spokesman for Hacking Team has declined to say whether the company has sold its software to the Turkish government, and whether the (now revoked) certificate used to sign the downloader has been used by them or was issued to the company. He claims that there is little the company can do if someone decides to misuse the tool, but that they are doing their best to know who they are selling to, and that they have refused to work with certain governments.
It is currently impossible to tell who organized this particular phishing attack, but as Arsenal Consulting president Mark Spencer pointed out, “We have an email, a purported sender, and a target all critical of the Gülen movement. We have professional malware launched from a server in Turkey. You can take it from there."
If the attack was set up by the Turkish government, it would mean that it was doing what was explicitly forbidden to do as a NATO member: spying on a citizen of a fellow member state, on the fellow member's soil, for a purpose that was not tied to a criminal or counter-terrorism investigation.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.