14 DAY TRIAL // Tunisian bloggers continue to report countrywide phishing attacks targeting Gmail, Facebook, Yahoo! and other social media accounts, which appear to be instrumented by the government.
Slim Amamou, a Tunisian Web applications developer and Internet freedom activist was arrested after posting an investigation of one such phishing attack against Gmail two days ago.
According to him, it all started with users reporting being unable to log into Gmail and seeing weird errors on the login page.
The possibility of malware infection was quickly ruled out and all signs pointed to a much larger attack.
DNS poisoning was considered, but this theory also fell apart as the problem persisted when using other DNS providers.
Further investigation led Amamou to conclude that for five minutes, every two hours, the 443 port used by Gmail for HTTPS traffic was blocked and users were being directed to http://mail.google.com, an unprotected version of the Gmail login page.
Attempting to login during this time sometimes resulted in errors that read "Notice: Undefined index: Passwd in C:\Program Files\EasyPHP5.3.0\www\ServiceLoginAuthservicemai.php on line 57."
EasyPHP is a free WAMP (Windows + Apache + MySQL + PHP) package. It has nothing to do with Google and being mentioned in Gmail errors is a clear sign that the login page is fake.
Because it takes place on the real mail.google.com address, this phishing attack clearly has the potential to trick a lot of users, but there's even more.
Not only does this happen on mail.google.com, but the IP address associated with that address during the attack belongs to Google. Had this been DNS poisoning, the IP would have pointed to a server controlled by the attackers.
This is clearly a man-in-the-middle attack which involves hijacking traffic in real time at ISP level. But since users from ISPs are reporting the same problem, it actually affects the entire country.
The only entity with the power to pull off something like this is the Tunisian Internet Agency (Agence tunisienne d'Internet, ATI), which controls the country's edge routers and supplies Internet to all privately-owned providers.
ATI used its powers in the past to block websites deemed inappropriate by the government, like YouTube, Vimeo, Flickr, Blip.tv, Metacafe and others.
Yassine Ayari, a Tunisian network security engineer and Internet freedom activist, reported on Twitter that, although still in custody, Slim Amamou was not harmed and might be released tomorrow.
