PhotoPrivacy fans beware: there's a new malware-spreading phishing scam that impersonates the Electronic Frontier Foundation, including a fake website that looks similar to the EFF's real one.

The EFF's genuine web address is at But on Aug. 4, somebody registered a new domain name at electronicfrontierfoundation(dot)org. Yesterday, the real EFF posted a warning about the fake website, which was originally discovered by researchers from Google's security team. Even though the scam site has been identified, the EFF said that “At the time of this writing the domain is still serving malware.”

Malware campaign

The fake Electronicfrontierfoundation site appears to be part of a larger malware campaign known as Operation Pawn Storm. Pawn Storm dates back to at least October 2014, when security researchers at Trend Micro discovered “a series of attacks that targets military officials as well as various defense contractors.”

The current phase of Pawn Storm, including the EFF impersonation, apparently started in mid-July (and shortly before the Aug. 4 registration of the false Electronicfrontierfoundation site). On July 11, Trend Micro posted a Pawn Storm update announcing that they'd discovered a new zero-day exploit taking advantage of a vulnerability in Java.

In tech-speak, a zero-day exploit is a vulnerability which bad-guy hackers discovered how to use before good-guy researchers knew it was there. Thus, zero days pass between the discovery of the vulnerability and the discovery that someone's already used it for bad purposes. (Imagine a homeowner who says “I never knew my house even had a back door – until I found a burglar using that door to rob the house.” The previously unknown back door was a zero-day flaw, and the burglary a zero-day exploit.)

Possible Russian involvement

The genuine EFF, in its warning about its malware-spreading impostor, said that it is currently “unclear who the [current attack's] intended targets were,” although “The group behind the attacks is possibly associated with the Russian government and has been active since at least 2007.”

Like many malware campaigns, this latest Pawn Storm update snags most of its victims by sending out fake emails purporting to be from legitimate organizations – the EFF, in this instance. Those emails contain a link leading to the fake, malware-riddled spoofing site, which then loads keylogging software onto your computer.

If nothing else, this EFF-impersonating Pawn Storm attack should serve as another reminder of why you should never click on any link (or download any file) from an unsolicited email.

Share your Comments