Phishing Attack on Tunisian Gmail Accounts – more censorship?

Tunisia is turning out to be the most repressive country in Africa when earlier this year the government began a wave of censorship of online sites.

Tunisia is carrying out one of the most massive wave of online censorship targeting major social websites, video-sharing websites, blogs aggregators, blogs, facebook pages and profiles. The most recent victim of this wave is flickr, the popular and one of the best online photo-sharing website, blocked today, April 28th, 2010………

Last week, on April 22, 2010, Tunisia has added 3 more websites to its list of banned video-sharing websites in the country. Blip.tv,metacafe.com and vidoemo.com are not welcome aymore in the country.In early April, 2010, On march, 19th, 2010, WAT.TV, another social networking and media-sharing website, which is believed to be the 3rd video broadcaster on the Internet in France, has also been blocked.

The targeting of video-sharing websites by Tunisian censors started on September 3rd, 2007, with the ban of Dailymotion, then it was the turn ofYoutube to be banned from the country’s Internet on November 2nd, 2007.

On it’s posterous page, Nawaat.org has published an updated list of the banned video-sharing websites in the country, stating that:

Now the government appears to have extending the censorship via a mass phishing attack on GMail accounts as explained by Slim Amamou on Global Voices Advocacy who spent some time investigating the origins of the attack.

That first experience with this phishing campaign on Gmail lasted only a few minutes before things returned to normal, but there was something fishy going on : the IP address was correct! (see nmap screenshot). To make such an attack, it takes full control of the Tunisian network, from the wires to the HTTP protocol. Those hackers were owning the whole country.

The hacking method was basically to block access to the secure Gmail so that Tunisians are required to sign in via a non-secure Gmail, then divert them to a machine running a fake Gmail login page under EasyPHP, to steal their passwords and later, when needed, hack their email accounts.

Later that morning, I decided to monitor and trace this systematic phishing campaign on Gmail with the help of a cronjob which to check if port 443 was open or closed – basically, if it is closed, a phishing attack was ongoing.

The post is important not just because it reports on censorship in Tunisia and the lenghts the government will go towards hiding its repression but the details of Slim’s investigation to try to find out who is behind the phishing attack and how to protect your Gmail account are extremely useful.