Amid popular uprisings in Syria, Facebook users in the country logging into the secure HTTPS version of the social networking site are finding themselves to be the targets of an ongoing man-in-the-middle attack detected on various Internet service providers. Although it is unclear who is behind the attack, the Electronic Frontier Foundation links the attack to allegations that the Syrian Telecom Ministry, under the auspices of the Syrian government, is the perpetrator. It is suspected that the Ministry has replaced Facebook’s security certificate with a fake unsigned one. In this attack, users’ browsers propagate a SSL error on the Facebook Web site because the certificate is not trusted by the browser. Users may ignore the warning by clicking through it, and in doing so, allowing the attacker to access their Facebook account and control and collect information. Some suspect that this is a ruse by Syrian authorities to spy on activists using the site to coordinate protests.
The action is occurring amid cyberattacks being launched by pro-regime attackers. Last week, the OpenNet Initiative’s Helmi Noman reported that pro-regime Facebook pages (http://www.facebook.com/syria.e.s and http://www.facebook.com/syrian.electronic.soldiers, which have since been removed) have begun distributing DDoS software, encouraging followers to attack anti-regime Web sites.
The EFF was able to track down a copy of the fake certificate used in the latest attack, and below is a screenshot of the fake certificate from Global Voices.
On the left is the fake certificate, and on the right is the original SSL certificate.
This type of attack has occurred during other tense moments in the region—for instance, during the protests in Tunisia this year when malicious code was injected into Tunisia’s Twitter, Facebook and Gmail to phish credentials from users.
A man-in-the-middle attack was used in last months Comodo breach, which we blogged about here, where Comodo’s European affiliate had issued nine fraudulent certificates to Mozilla, Global Trustee, Gmail, Google, Skype, Yahoo and Windows Live. In the case of Comodo, some suspected that it was a part of a larger state-sponsored plan to eavesdrop on encrypted communications. At the time, Comodo stated that, “It does not escape notice that the domains targeted would be of greatest use to a government attempting surveillance of Internet use by dissident groups. The attack comes at a time when many countries in Middle East and North Africa (MENA) region are facing popular protests and many commentators have identified the Internet and in particular social networking sites as a major organizing tool for the protests.” While some attributed the attack to state-sponsored agents, a lone Iranian hacker claimed responsibility. However, the alleged attacker’s claims of acting independently from the state have been questioned.