Profile picture
Raphael Satter @razhael
, 7 tweets, 3 min read Read on Twitter
Yesterday I reported on the attempts to digitally compromise @AliAlAhmed_en, a DC-based Saudi opposition figure. The hackers masqueraded as journalists for the BBC and the WaPo, but they also tried other tactics too. Here’s one that caught my eye ...
apnews.com/cee0e8a5338e4b…
In May of this year the hackers sent him a message that (badly) mimicked an event photography service, sending him a link to what were apparently pictures of him at a recent event. That’s Ali in the picture below, holding the microphone. 🎤
documentcloud.org/documents/5028…
Here’s the thing: That photo isn’t publicly available. You wouldn’t get it by doing a Google image search for Ali, for example.

The phishing message doesn’t make it clear, but Ali said the pics came from a Feb. 1 event at @AEI, the DC think tank.
aei.org/events/changin…
Here’s the video in question. Skip forward to 36:00 and you’ll hear Ali’s question and then briefly see him handle the microphone.
Here’s a screenshot I took off the same video, which is what I suspect the hackers did too. But how would they know to sit through an @aei video from four months previous to find photos of Ali?
The whole thing is rather eerie. Ali wasn’t listed as a participant (he was a member of the audience) and while he was quoted in the event transcript (link in AEI page above) it’s not clear how you’d know to look there unless you already knew he had asked a question.
I have admittedly very limited experience but this is the first case I’ve encountered personally where traditional surveillance (whether physically at the event or remotely by someone who watches the DC think tank scene closely) has been leveraged to craft a phishing message.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Raphael Satter
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @razhael see all

Profile picture
Times of Malta: Maltese academic named in Trump scandal is 'alive'
timesofmalta.com/articles/view/…
Short attention span? An abridged version of my profile of Maltese mystery man Joseph Mifsud is out now: abcnews.go.com/International/…
I want to talk a bit about the reporting process that went on behind this story. The piece would not have been possible with the work of independent journalists, in particular @PeterKGeoghegan but also others such as @jonworth who played keys roles in preserving digital evidence.
Read 10 tweets
Profile picture
Exclusive: A day in the life of “Den Katenberg,” alleged GRU hacker apnews.com/c554ea59bd0b4e…
Something that I've been working on quietly but which the indictment probably makes moot: the Secureworks list had several Fancy Bear email addresses which the group used for self-testing.
How I found this out: Fancy Bear generated malicious links in batches. But between these waves of activity they would sometimes generate 1-4 malicious links, often connected to weird-sounding email addresses.

Here's Fancy's bitly activity for March 4, 2016, for example:
Read 16 tweets
Profile picture
Our latest on Fancy Bear, this time relying on new research from @TrendMicro
Pawn Storm group - also known as APT28 or Fancy Bear - has been caught creating phishing sites aimed at ensnaring US Senate staffers, @TrendMicro says. Olympic winter sports federations also targeted.
apnews.com/9a6888c2163f43…
Trend Micro says this recent pattern of activity is identical to the Pawn Storm phishing websites allegedly set up to steal messages from @enmarchefr back in spring of last year
apnews.com/9a6888c2163f43…
Read 11 tweets

Related threads

Profile picture
#Thai authorities will allow 18-year-old Rahaf Alqunun into the country while the UNHCR processes her case after agency representatives were allowed to meet with her late Monday afternoon, according to Lt. Gen. Surachate Hakparn, immigration bureau chief” khaosodenglish.com/featured/2019/…
“After being allowed to meet #RahafAlqunun, UNHCR on Monday agreed to place her under its care & process her for travel to another country, during which #Thailand will allow her entry, Lt. Gen. Surachate Hakparn,immigration bureau chief. told reporters just after 8pm.“ #SaveRahaf Rahaf Alqunun, at center, is escorted by immigration chief Surachate Hakparn, at right, Monday at Bangkok's Suvarnabhumi Airport.
“She has left the airport with the UN,” he said. “She’s not being held by the immigration any longer.”

He said that UNHCR had taken #RahafAlqunun from the airport to other accommodations in #Bangkok and it will take about five days to find a country to accept her.“ #SaveRahaf
Read 6 tweets
Profile picture
#Saudi Opinion Piece blames both #Qatar and #Turkey for #Syria ‘s crisis. Here we go okaz.com.sa/article/1695539
The Saudi opinion piece refers to Syrian State as “nationalist” and blames the Arab Spring on foreign countries (Qatar & Turkey with political cover from the U.S) capitalizing on domestic issues while relying on help from the Moslem Brotherhood ideology
Opinion Piece concludes that countries like #Saudi and #UAE who are embracing “stability and moderation” need to work on “Preserving the Syrian State” that governs such an ancient and important land
Read 3 tweets
Profile picture
#Saudi feminist Loujain al-Hathloul, 29, was detained in May in unprecedented crackdown vs feminists. Crown Prince Mohammed bin Salman aide Saud al-Qahtani, personally oversaw her interrogation, which incl waterboarding & threatened to rape & kill her google.com/amp/s/www.wsj.…
Of 18 detained activists, at least eight have been physically abused in custody, according to Saudi advisers, activists &others with knowledge of the prisoners’ treatment. One said security officials electrocuted her hands. “My fingers resembled barbecued meat, swollen and blue”
Glad to see some finally pay attention to misogyny in #Saudi Arabia - I call it gender apartheid. RIP Jamal Khashoggi. It should not be lost on us that it took the murder of a man for some to finally pay attention to women.
Read 15 tweets
Profile picture
#Saudi Crown Prince Mohamed Bin Salman,suspected to have ordered murder of journalist #JamalKashoggi, launched unprecedented crackdown vs women’s rights activists in May. Those activists have been tortured & one has tried suicide 3 times google.com/amp/s/www.wash… h/t @SherifaZuhur
Some of the activists (none of whom have been formally charged or given access to lawyers) have been subjected to psychological or physical abuse while in custody, including electric shocks, sexual harassment, sleep deprivation and beatings. #Saudi
“In one reported instance, one of the activists was made to hang from the ceiling, and according to another testimony, one of the detained women was reportedly subjected to sexual harassment, by interrogators wearing face masks.” amnesty.org/en/latest/news… #Saudi
Read 21 tweets
Profile picture
#Saudi Arabia says #Canada's statement on the arrest of activists in the Kingdom is an unacceptable interference in its internal affairs, expels the Canadian ambassador and freezes all future trade. bbc.in/2vs6crl
"In her first public response to Saudi Arabia's actions, Foreign Minister Chrystia Freeland said on Monday: 'Let me be very clear ... Canada will always stand up for human rights in Canada and around the world, and women's rights are human rights'." aljazeera.com/news/2018/08/s…
Direct investment was already down in #Saudi Arabia after some of the recent disturbances; this spat with #Canada is unlikely to help. on.wsj.com/2OgITYl
Read 6 tweets
Profile picture
Trump Hotels' website still lists Trump SoHo New York among its properties in the Our Hotels menu. Select its name though to access its page and there's a message about it being renamed

bit.ly/2EPCSy1
National politics correspondent for Newsweek, Nina Burleigh, with a fun find on a TV above the bar at the Trump Hotel DC bit.ly/2E37QRR
Two errors in the 2nd graf of Breitbart's Trump Hotel DC article:
-holdings aren't out of @realDonaldTrump's hands: trust isn't blind & he can profit from it
-Trump Org told Congress it was estimating foreign receipts—not auto donating in full
bit.ly/2CpL7z2
Read 1562 tweets

Trending hashtags

#théofascisme #American #MyDCCool #aljazeera #Saud #Saudi #DepartmentofLabor #thistown #Compromise #Kashoggi #mypresident #hackers #S300 #Kuwait #Bangkok #Merkel #WhatsAtStake #Kahshoggi #Syria #Oil #dc #FakeNews #Kingdom #Bolton #Sanandaj

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!