A Kenyan security guard in Qatar targeted by a phishing attack

18th June 2021

2 minutes read

A Kenyan watchman now facing charges in Qatar after writing compelling, anonymous accounts of being a low-paid worker there found himself targeted by a phishing attack that would have revealed his location just before his arrest, analysts say.

While analysts from Amnesty International and Citizen Lab said they were unable to mention who targeted Malcolm Bidali, the phishing attack mirrored others previously administered by Gulf Arab sheikhdoms targeting dissidents and political opposition. It also would require access to tip stored by telecommunication companies typically only released to government or private security force officials to be ready to be useful also .

Ooredoo and Vodafone Qatar, the 2 major internet providers in Qatar, didn’t answer requests for comment. Qatar also didn’t answer questions on the phishing attack targeting Bidali.

The weekslong detention of Bidali, 28, in an undisclosed location comes before Qatar hosting the 2022 FIFA World Cup and has again raised questions on freedom of expression during this small, energy-rich nation before the tournament.

“There is not any evidence that he’s being detained for love or money aside from his legitimate human rights work — for exercising his freedom of expression, and for shining a spotlight on Qatar’s treatment of migrant workers,” multiple human rights organizations campaigning for Bidali’s release recently wrote.

Bidali worked 12-hour days as a watchman . In his spare time, he wrote anonymously under the nom de plume “Noah” about his experiences as a guard, including trying to enhance his worker accommodations and therefore the challenges of life.

The reason for Bidali’s detention by security forces beginning late May 4 remains unclear. a few week earlier on April 26, he spoke and briefly appeared during a videoconference with civil society and union groups describing his experiences.

Just hours then videoconference ended, a Twitter user sent Bidali a link he later clicked thereon seemed to initially be a video from Human Rights Watch. But instead, it sent him to a decoy, look-alike YouTube page that “might have allowed the attackers to get his IP address, which could are wont to identify and locate him,” Amnesty said. An IP address may be a numeric designation that identifies its location on the web .

“In like 10 minutes, almost any techie can set an internet site to capture the IP address of somebody who clicks,” said Bill Marczak, a senior researcher at Citizen Lab who also came to an equivalent conclusion as Amnesty. “The hard part is converting the IP address into a true name and address.”

That typically requires access to non-public information kept by internet service providers that typically only they or governments can access.

Twitter later suspended the account that targeted Bidali with the phishing attack. The San Francisco-based social media company didn’t answer questions on the suspension.

Late on Saturday night, Qatar said during a statement that Bidali had been “formally charged with offenses regarding payments received by a far off agent for the creation and distribution of disinformation within the state of Qatar.” The statement didn’t elaborate or offer evidence to support the allegation.

If convicted under Article 120 of Qatar’s legal code , which uses similar language because the Qatari statement, Bidali could confront to 10 years in prison and a 15,000 Qatari riyal ($4,000) fine. Early last year, Qatar also amended its legal code to permit for prison sentences of up to 5 years and a fine of 100,000 Qatari riyals ($27,500) for anyone publishing “rumors or statements or false or malicious news or sensational propaganda,” consistent with Human Rights Watch.

Qatar is home to the state-funded Al Jazeera satellite news network. However, expression within the country remains tightly controlled.