Political Activist from Saudi Arabia

Hello everyone, We are a group of political activists in Saudi Arabia with activity on twitter. We are being bombarded by phishing links devised to obtain information about our identities by the Saudi intelligence headed by the notorious Mohammed bin Salman. Not all of us are technically able to distinguish the attack. So the technies among us took it upon themselves to pursue the matter. We found out that the latest domain used to attack us is using SSL cert generated by Lets's Encrypt. So we are asking if there is an official way to report that Let's Encrypt is being used nefariously against political activists.

Thank you for helping the internet getting more secure everyday.

Mariq

2 Likes

Hi @MariqYami

everyone who controls a domain can create a Letsencrypt certificate.

Please read the FAQ:

A website using Let’s Encrypt is engaged in Phishing/Malware/Scam/… , what should I do?

3 Likes

Just to be clear; is this "domain used to attack us" actually controlled/owned by the entity that has the certificate? Or do you think that your attackers now have a SSL cert for a domain that they don't actually control? As said above, Let's Encrypt only validates control over the domain, not use of the domain. So if they actually control the domain, then I don't think Let's Encrypt will do anything unless the owners are on the list of people the US Government forbids US companies from doing business with at all (which I suspect isn't the case but I'm not up on current international politics). If they don't control the domain (like, they got a cert for twitter.com even though they don't own it), then Let's Encrypt would definitely be interested and do something about it.

You can probably report the domain to the various "Safe Browsing" programs like listed in that FAQ link, and doing is probably the only "official" report you can do to somebody who might do something about it.

Part of "helping the internet get more secure everyday" includes making it secure for people one doesn't agree with and do "bad things", for better or worse.

3 Likes

Full disclosure: I actually do have connections to the Saudi government and some familiarity with how internet operations work in Saudi.

Just a thought: if you are visiting/investigating these sites, you are exposing your interest in them. Given the resources and control of the Saudi government, I don't think standard phishing tactics would be very efficient or effective to identify people (unless they reside outside of the kingdom where options are limited). I'm not sure how you could deduce by whom these sites are orchestrated. Depending upon the domain name(s) for the sites, it's entirely possible that literally anyone could be behind them. If the domain name for a site has a .sa extension, there is a strong requirement to file paperwork associating the site with a business or organization. Not just anyone can register a .sa domain name. If the domain name for a site does not have such restrictions, there is no telling from where it comes, even if it appears to be hosted in Saudi. One thing I feel for sure though, I'm very doubtful that Saudi intelligence is going to make their involvement that obvious.

2 Likes

Our current policy does not allow us to revoke certificates based on the content of websites, including for suspected phishing, malware, fraud, abuse, or otherwise objectionable content.

We recommend reporting such sites to Google Safe Browsing and the Microsoft Smart Screen program, which are able to more effectively protect users. Here are some reporting URLs:

https://safebrowsing.google.com/safebrowsing/report_badware/
https://safebrowsing.google.com/safebrowsing/report_phish/
https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest

If you’d like to read more about our policies and rationale, you can do so here:

4 Likes

Regardless of who is attempting the phishing, your best option to address phishing attempts is to determine the IP address of the domain and send an abuse complaint to the network operators. You can determine who that is with an IP search at http://whois.arin.net/

4 Likes

Thank you everyone, I understand maybe its on edge or outside the scope of let'sencrypt to condemn and revoke certificates issued for domains used for phishing and I will report to the entities mentioned and shared.

In a nutshell, Letsencrypted helps the internet make sure the certificates is signed by the domain owner/manager, nothing less, but nothing more.

thank you and have a good day,

2 Likes

Dear Griffin, thank you for your response. Yes our interest in these sites is real. we are working on making a direct line from these methods to the Saudi Government. they are very effective against us since they even have on record a direct connection IP-ID, and yes they are making it obvious,

regards,

1 Like

You probably already know this, but there are some civil society groups like Citizen Lab and several others that sometimes do research projects about attribution of phishing campaigns (for example, to see whether malware is used, and whether the infrastructure or technology used in a campaign can be associated with particular known vendors or known attackers). So there could be a number of groups interested in the details of individual phishing campaigns and similar deception attacks.

In some cases making a report to Google's Safe Browsing may also attract the attention of Google's own security researchers, although they are much less likely to share the results of their research publicly, compared to security researchers from civil society. If phishing messages or malicious sites are trying to get you to download a malicious attachment or malicious software update (as opposed to only tricking you into sharing personal information or passwords or something), there are also antivirus and security companies that may be interested in receiving samples of the malware so they can study and possibly block it.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.