@KeirGiles @citizenlab 6/ Takeaway for us: some sophisticated threat actors are feeling pressure & innovating.
Trying to move away from smash & grab phishing for passwords (& maybe your 2nd factor code)... and going for something more subtle, slower perhaps less detectable.
8/ There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.
Everything was clean. The doc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
(this doesn't do anything but further the deception that he's adding an external app to his Gmail, that name field accepts any text you want to put in there)
THE #EU parliament #spyware debate has kicked off, follow along with me.
( triggered by the hacking of a MEP investigating spyware w/Pegasus)
It kicks off as expected with Commissioner @dubravkasuica (Croatia) trying frame the issue as a national one (govs should investigate...not the parliament).
This is likely to be unpopular among MEPs concerned by spyware abuses.
Next up? MEP & spyware victim @KrzysztofBrejza 1/
2/ Next: MEP @KrzysztofBrejza, himself a spyware target is clear: mercenary spyware is a risk to democracy & institutions.
I've experienced it myself. Spyware is dangerous when in the hands of the wrong ppl.
A very powerful statement.
@krzysztofbrejza 3/ Strong statements by @alexagiussaliba: Every citizen has the right to privacy.
2/ Parents want to protect their children, but once you build & implement bones of a system like this, with government developed 'verification' apps you've loaded the gun & pointed it at free expression.