Book Excerpt: ‘Chasing Shadows’ by Ron Deibert

Editor’s Note: Below is an excerpt from ‘Chasing Shadows,’ a new book by the Citizen Lab’s founder and director, Ron Deibert, on the growing cyber surveillance threats facing journalists and civil society activists around the world. It is provided courtesy of Deibert’s publisher, Simon & Schuster. GIJN has published an interview with Deibert about this new book.

“In November 2015, Rori Donaghy, a UK-based journalist, received an unsolicited email containing what appeared to be a link to an Al Jazeera article. His reporting posed a threat to the royal families of the UAE as he exposed their corruption, human rights abuses, and ruthless suppression of dissent.

Image: Courtesy of Simon & Schuster

The email Donaghy received took the form of an invitation to join a human rights panel. The operators who sent the message were banking on his moral and political sensibilities, his eagerness to promote human rights, to get him to click on the link.

“We would like to formally invite you to apply to be a member of the panel by responding to this email,” the invitation began…  The link was created using a URL shortener — a free, web-based service that condenses a lengthy link into something easier to copy, paste, and share and redirects the request to the desired destination. Unfortunately, it’s also a service that is often abused by malicious actors…

“[Citizen Lab researcher Bill] Marczak asked Donaghy, ‘Can you respond to them and ask for another link? Say it’s not working.’ To our surprise, the operators sent a further email, this time with another shortened link to a password-protected web portal where Donaghy could supposedly download a document securely.

“On opening the document, it revealed a fake version of Microsoft’s legitimate security portal, Proofpoint. The operators had labeled it in English and Arabic: ‘This Document Is Secured.’

“The Word document was designed specifically for Donaghy. Whoever was behind the ruse had constructed an entire fictitious organization in hopes of getting him to click on the link. However, they took a lazy shortcut and had appropriated a banner graphic from a previously existing and much older anti-slavery campaign, which we easily identified through a basic reverse image search. Marczak then searched through Donaghy’s inbox looking for any other messages he might have received in the past that contained the same shortened link. Bingo!

“As our searches continued, we uncovered new information that led us to more layers of the mystery, clues to additional victims, and, gradually, a picture of who might be behind it all. A Twitter search for the same shortened link service showed that the operators who targeted Donaghy had also targeted at least twenty-seven other Twitter handles. Of those, the owners of twenty-four of them had been arrested by UAE authorities.”