Phishing Scams Targeting Anti-Kremlin Movements: A New Threat to Freedom and Safety

Phishing attacks often aim at financial gain or malware distribution. However, a new wave of phishing scams poses a more severe risk, particularly for Russians seeking to join groups opposing the Kremlin. These scams could lead to severe consequences, including imprisonment or worse. In this article, we delve into the tactics used in these scams, their potential origins, and their implications.

The Rise of Phishing Domains

Security firm Silent Push recently uncovered a network of phishing domains mimicking recruitment sites of Ukrainian paramilitary groups and government intelligence sites. These sites target Russians who oppose Vladimir Putin's regime, collecting personal information under the guise of recruitment for anti-Kremlin activities.

Spoofing the Freedom of Russia Legion

Among the sites identified is legiohliberty[.]army, a fraudulent version of the legitimate Freedom of Russia Legion website. This paramilitary unit is composed of Russian citizens opposing Putin's invasion of Ukraine. The fake site replicates the original, using a Google Form to solicit personal information from users, including their name, contact details, military experience, and political views. Such actions are illegal in Russia, leading to arrests and charges against participants.

Connections to Other Phishing Sites

Silent Push's investigation linked the fake Legion site to rusvolcorps[.]net, which impersonates the Russian Volunteer Corps, another paramilitary group. This site similarly uses Google Forms to gather data. Additional phishing domains identified include ciagov[.]icu, mimicking the U.S. CIA’s website, and hochuzhitlife[.]com, spoofing Ukraine’s Ministry of Defense.

Search Engine Manipulation

Interestingly, these phishing sites aren't propagated through traditional email campaigns. Instead, they exploit search engine results, prominently appearing when users search for anti-Putin organizations. This tactic was highlighted by security researcher Artem Tamoian, who noted discrepancies between search results on different platforms. For instance, while Google returned legitimate site links, Yandex—the largest search engine in Russia—often led users to phishing pages.

The Role of Stark Industries Solutions

The investigation into these phishing sites also unveiled their hosting details. When Cloudflare blocked the domains, the real Internet addresses were traced to Stark Industries Solutions Ltd, a known "bulletproof hosting" network. This network emerged in 2022, coinciding with Russia's invasion of Ukraine, and has been associated with various cyber activities, including DDoS attacks and disinformation campaigns.

The Consequences of Falling for Phishing Scams

Phishing scams targeting anti-Kremlin movements have dire consequences. Russia's Supreme Court designated the Freedom of Russia Legion as a terrorist organization in 2023, making communication with the group punishable by lengthy prison sentences. Reports frequently surface of individuals being arrested for attempting to join Ukrainian paramilitary groups or assist them in any way.

The Broader Campaign

Though direct evidence linking these phishing sites to specific arrests is scarce, experts like Tamoian believe they are part of a broader campaign by Russian security services to trap dissenters. The persistent presence and creation of new phishing sites suggest their effectiveness in ensnaring unwary individuals.

Conclusion

Phishing scams have evolved beyond financial threats, now posing severe risks to personal freedom and safety, especially for those opposing powerful regimes. The phishing sites targeting anti-Kremlin movements highlight a sophisticated campaign to manipulate search results and exploit individuals' aspirations to join resistance efforts. As these threats continue, vigilance in recognizing and avoiding phishing scams becomes increasingly crucial for those seeking to engage in anti-government activities.