Hackers posing as journalists target dissident Saudi reporter

Reporters Without Borders (RSF) urges all journalists to sharpen their cyber-security reflexes after a dissident Saudi reporter repeatedly received emails in which a variety of journalists were impersonated in a bid to lure him into clicking on malicious links.

This kind of attack, mixing phishing and the theft of journalists’ identities, undermines trust in the media and at the same time endangers the sources of those who are targeted, RSF said.


The Saudi target of these hacking attempts is Ali Al-Ahmed, a Washington-based expert in terrorism and the Gulf states. The emails he has been getting for months have included many “interview requests” from people posing as BBC or Washington Post journalists, including Jamal Khashoggi a few months before his murder.


“Once one of these supposed journalists even suggested that we meet,” Al-Ahmed told RSF. “Maybe they just wanted to observe my movements.”

For more information about the Ali Al-Ahmed story, read this AP article

The main aim of these fraudulent emails has been to lure Al-Ahmed into clicking on links that would give the senders access to his inbox and his confidential data – the widely-used hacking technique known as phishing. In the case of a journalist, successful phishing enables the hackers to use the journalist’s email address to contact their sources, putting them in danger if they are from authoritarian countries.


Repeated cyber-attacks


John Scott-Railton, a Citizen Lab researcher who analysed Al-Ahmed’s emails, said he was struck by the persistence of these hackers. “Most phishing campaigns don’t last as long as this. Someone really wants to know what’s in his inbox and is targeting it repeatedly, almost as if it was a job.”


Continuing such attacks for a long time makes it easier to identify those responsible. But that does not seem to have worried the hackers in this case although phishing is illegal in the United States.


“Phishing directly threatens journalists and their sources,” said Elodie Vialle, the head of RSF’s journalism and technology desk. “By impersonating journalists, the predators are striking twice, because they are also undermining trust in the media. We advise all journalists and activists who often give interviews to pay more attention to such threats, especially as such hacking methods are not constrained by borders and can target exile dissidents as well.”


Monitoring and smearing journalists


The technique of posing as a journalist in order to trap dissidents, including dissident journalists, is not new and in fact has been used systematically in countries where press freedom predators have a free hand.


“Since the Green Movement in Iran in 2009, more and more Iranian journalists have been targeted by phishing,” said Reza Moini, the head of RSF’s Iran-Afghanistan desk. “The aim is to hack into their accounts or to conduct fake interviews in order to undermine their credibility and their message. Use of such techniques is systematically stepped up whenever there is a political crisis.”


It is also widely used in such countries as Turkey, the world’s biggest jailer of professional journalists, and Ukraine, where phishing emails from a person posing as an investigative reporter were sent last month to government officials, journalists and members of the public.


RSF advises journalists and activists to verify interview requests by calling the media outlets concerned. They should also always pay close attention to the addresses of the emails they receive (including from people they know), and to the web address of any link in an email.


Other tips for stepping up cyber-security can be found in RSF’s Safety Guide for Journalists and in Citizen Lab’s Security Planner.


Published on
Updated on 09.11.2018