On Saturday, August 27, 2022, a photo of an article promoting an adult website on the official website of the Public Procurement Authority (PPA) went viral on social media.
Dubawa Ghana’s research showed that at least seven different articles of that nature had been published on the website.
The articles have since been deleted, but below are insights from our findings and advice from experts on protecting websites from such unpleasant developments.
All the posts were meant to promote adult-oriented social networking services, including Adult Friend Finder.
The many grammatical errors in the meta description of the various articles when searched on Google suggest that the articles were written in bulk using an inexpensive AI copywriting tool.
We also found evidence that around the same time the publications were made on the State agency’s website, similar publications promoting the same websites were being done on other websites.
Although some of the articles have subsequently been pulled down, we accessed some of them that were still live, like this one.
PPA statement
Ghana’s Public Procurement Authority, in a statement, said its website had been “compromised by hackers” and it is working to ensure that such incident does not reoccur.
“The Authority continues to work with the relevant Cyber Security Agencies to ensure appropriate measures are put in place to prevent future cyber attacks on our official website and in the event it happens, it will be swiftly resolved,” it said.
Hacking
Website hacking is the unauthorised access to or control over computer network security systems for some illicit purpose.
Apart from attempts to get access to company data, cybercriminals may hack a website in a way that ruins the organisation, like redirecting some critical web page links to adult websites or injecting the website with new articles with backlinks to adult websites, as was the case of the PPA website.
Statistics show that almost one out of every six WordPress-powered sites are vulnerable to attacks. More than half a million WordPress sites were compromised by attackers in 2021.
How does this happen?
Divine Puplampu, the technology lead for Accra-based web services provider, Stimulus, told DUBAWA that, besides hacking, getting access and taking control of a website author’s account to make unwarranted posts, hackers may also take advantage of vulnerabilities on websites as a result of the use of outdated themes and plugins.
“There are different levels at which this can happen. The account of an administrator can be hacked directly. Also, somebody may be able to inject some codes into the Structures Query Language (SQL) of the website, which gives them access to the website’s database and allows the person to make posts on your site. In such a case, you won’t see those articles in the posts section, but when someone opens the website, they’ll be able to see them [the posts]. There is also the case of outdated themes and plugins that can allow hackers access to make posts on the website because of the vulnerabilities they have,” he said.
Puplampu said a cursory assessment of the ppa.gov.gh website shows that the WordPress version being used is yet to be updated to the latest version of 6.0.1 and the minimum recommended PHP of 7.4.
He advised that preventing such attacks in future will require that “the PHP, WordPress core, themes and plugins are updated to the latest version as the updates tackle security vulnerabilities.”
“I will advise administrators to ensure that they prevent people from getting access to the accounts by implementing two-factor authentication and also change their password periodically… Website owners must also employ technical and security maintenance engineers to police their websites to ensure that such things are detected and tackled soon enough. A simple google recaptcha system can also help prevent the situation where bots are used to hack websites,” he added. An extensive explanation of how to protect a website from hacking can be found here.
Your end-to-end encrypted social media apps such as WhatsApp and Facebook are not so ‘encrypted’. In essence, it is technological policies that guard your privacy and your activities online. While these policies have been reliable, at least for the time they lasted, your online activities are not so privately protected as you may think. They may be protected, but when those who seek your private information are after it, you can do little or nothing about it. And Pegasus guarantees that. Pegasus is a spyware that bypasses all the protective devices on your smartphone; infiltrates your personal data, and supplies it to those seeking it.
Pegasus is developed by the Israeli cyber arms firm NSO Group; it can be discreetly installed on mobile phones without the user’s knowledge. The Pegasus spyware enters a smartphone and takes control of everything including functionalities such as the camera and microphone.
Built to infiltrate phones operating on Android, Blackberry, iOS, and Symbian to open them to surveillance, the spyware does not need users’ consent or actions to carry out its operations successfully.
Although the NSO Group was founded in 2010 with the sole purpose of developing best-in-class technology to help government agencies detect and prevent a wide range of global and local threats, there have been concerns from journalists, human rights activists, politicians, and other individuals over direct use of spyware on them to stifle democracy, especially in autocratic nations.
Earliest use
The earliest reported use of Pegasus was by the Mexican government in 2011 to track notorious drug baron Joaquín “El Chapo” Guzmán.
Jamal Khashoggi, the murdered Saudi-Arabian dissident was said to have been monitored using the Pegasus Spyware
In August 2016, an investigation revealed failed attempts to install the spyware on a human rights activist. The news attracted wide attention and was widely regarded as the “most sophisticated” privacy bridge on a smartphone.
This set of events marked the earliest use of the tool to track down persons. Nonetheless, numerous documentaries and investigations that were eventually released revealed that the spyware has been used to track people acquainted with the murdered Saudi Arabian dissident, Jamal Khashoggi.
Pegasus at work…
Like most software, Pegasus has witnessed evolutions that improve its operations. While former versions of the tool subscribe mainly on the user’s susceptibility to click the spear-phishing link sent to the phone or click a document, dummy message, or miss calls that covertly installs the spyware, the latest version of Pegasus is now more sophisticated and does not need the user’s input. It can now simply penetrate a smartphone, especially through the widely used, end-to-end encrypted messaging app like WhatsApp without the phone’s user even noticing.
According to the Regional Editor of The Conversation Africa, Adejuwon Soyinka, “since 2019, Pegasus users have been able to install the software on smartphones with a missed call on WhatsApp, and can even delete the record of the missed call, making it impossible for the phone’s owner to know anything is amiss. Another way is by simply sending a message to a user’s phone that produces no notification.”
This reality simply indicates that the updated version of the spyware does not need the smartphone holder to do anything. As Soyinka puts it “All that is required for a successful spyware attack and installation is having a particularly vulnerable app or operating system installed on the device. This is known as a zero-click exploit.” This can be carried out in different ways, The Indian Express explained that “one over-the-air (OTA) option is to send a push message covertly that makes the target device load the spyware, with the target unaware of the installation over which she anyway has no control.”
The Washington Post also reported an international investigation on 23 Apple devices that were successfully hacked. “Zero-click” attacks can work on even the newest generations of iPhones, even after years of effort in which Apple attempted to close the door against unauthorized surveillance.
Will Cathcart, WhatsApp’s Chief Executive Officer, even expressed his disappointment with the NSO and explained that “A user would receive what appeared to be a video call, but this was not a normal call. After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call.”
“Once it is installed on the user’s phone, Pegasus can harvest any data from the device and transmit it back to the attacker. It can steal photos and videos, recordings, location records, communications, web searches, passwords, call logs, and social media posts. It also has the capability to activate cameras and microphones for real-time surveillance without the permission or knowledge of the user,” Cathcart said.
Which type of people are targeted?
The NSO said it created the Pegasus spyware to help government agencies quell terrorism and insecurity. While countries like India, Mexico, Saudi Arabia, and some other nations are known to have used or are still using the Pegasus spyware, there is, however, an ambiguity about who or what types of people are being targeted and why.
However, the renowned stories around Jamal’s Khashoggi’s murder show the tool is widely used by suppressive governments around the world to monitor and track the activities of journalists and human rights activists. According to Amnesty International, there is a list that contains phone numbers that were marked as “of interest” to NSO’s various clients, though it’s not known if any of the phones associated with numbers have actually been tracked.
This reality has led to an in-depth investigation by a media consortium called the Pegasus Project over 50, 000 phone numbers. Though the research could only trace the actual identities of 1,000 people in over 50 countries from the list, conclusive findings show that the people who appeared on the list are neither terrorists nor criminals but politicians, government workers, journalists, human rights activists, business executives, and Arab royal family members.
The Pegasus Project reports “the NSO Group says it builds Pegasus solely for governments to use in counterterrorism and law enforcement work. The company markets it as a targeted spying tool to track criminals and terrorists and not for mass surveillance. The company does not disclose its clients.”
A tool to detect the Pegasus Spyware
This is a question that has been asked countless times by persons who have come across or heard about Pegasus spyware. The singular answer to this question is that there is no particular way or sign to do so. However, there is a Toolkit developed by Amnesty International that verifies the status of devices and allows users to know if their mobile phones were infected with the spyware.
This Toolkit has been boosted by Switzerland-based developer DigiDNA by improving on their iOS device manager, iMazing. The tool detects all sorts of spyware including Pegasus. According to terms outlined by the DigiDNA company, the spyware detection tool is only for iOS devices and does not also analyze jailbroken iPhones (allowing the phone’s owner to gain full access to the root of the operating system and access all the features). You can read more on how to install the app on iPhone here.
You can do something about it: It’s not a totally helpless situation
Nonetheless, it is pertinent to note that Pegasus has its own lapses and gaps. According to a Pegasus brochure, “installation from browsers other than the device default (and also chrome for android based devices) is not supported by the system”. This implies that one way to swerve the spyware is to change the default phone browser. This action halts the installation of spyware.
According to a set of precautions against Pegasus presented by the Indian Times, thoughtful cyber hygiene can safeguard against spyware’s baits. But when Pegasus exploits a vulnerability in one’s phone’s operating system, there is nothing one can do to stop a network injection. Worse, one will not even be aware of it unless the device is scanned at a digital security lab.
The article further outlines that “Switching to an archaic handset that allows only basic calls and messages will certainly limit data exposure, but may not significantly cut down infection risk. Also, any alternative devices used for emails and apps will remain vulnerable unless one forgoes using those essential services altogether.”
“Therefore, the best one can do is to stay up to date with every operating system update and security patch released by device manufacturers, and hope that zero-day attacks become rarer. And if one has the budget, changing handsets periodically is perhaps the most effective, if expensive, remedy.”
“Since the spyware resides in the hardware, the attacker will have to successfully infect the new device every time one changes. That may pose both logistical (cost) and technical (security upgrade) challenges. Unless one is up against unlimited resources, usually associated with state power.”
Conclusion
The Pegasus spyware has no doubt altered cybersecurity. While the protection built against it is no match for its influence and ravaging capacity, the Pegasus spyware, like many other technologies that have come before it, will eventually give way and perhaps be forgotten. However, until that time comes, smartphone users will continue to be vulnerable to this spyware, since end-to-encrypted applications are also susceptible to “mighty Pegasus” and cannot protect one’s private information.
