Hackers have set up a fake domain masquerading as an official site for the Electronic Frontier Foundation as part of a targeted malware campaign.
According to the EFF itself, the site, electronicfrontierfoundation[dot]org, is designed to trick users into a false sense of trust, and it appears to have been used in a spear-phishing attack and is still serving malware.
Further, the domain seems to be part of a larger campaign. The attack uses the same path names, Java payloads and Java exploit, that have been used in other attacks associated with Pawn Storm, which is being carried out by a group known as APT 28—which is believed to have ties to the Russian government.
“The attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known Java zero-day in two years,” the EFF said in an analysis. “The attacker sends the target a spear-phishing email containing a link to a unique URL on the malicious domain. When visited, the URL will redirect the user to another unique URL containing a Java applet which exploits a vulnerable version of Java.”
The attacker from there is able to run any code on the user's machine.
“It seems likely that the organization behind the fake-EFF phishing attack also has ties to the Russian government,” EFF said. “Past attacks have targeted Russian dissidents and journalists, US Defense Contractors, NATO forces and White House staff. We do not know who the targets were for this particular attack, but it does not appear that it was EFF staff.”
The vulnerability in Java has been patched by Oracle, so users should update their plug-ins as soon as possible. And, this is an excellent reminder for everyone to be vigilant against phishing attacks too.