For most people, spam emails are nothing more than a nuisance, but for pro-democracy activists in the Middle East, they could be a matter of life and death.

Amid brutal crackdowns against the Arab Spring, pro-regime forces have been using fake messages to install malware on activists’ computers that would allow them to monitor keystrokes and other activity, says Morgan Marquis-Boire, a security researcher at the University of Toronto’s Citizen Lab who has been studying the issue.

The Arab Spring has been touted as a digital revolution, as opposition groups have used social media sites such as Twitter, Facebook and YouTube to get their message across. Proponents of this move toward tech activism say the worldwide popularity of these tools helps democracy efforts by making the technology easily accessible and making it more difficult for governments to shut down.

But Marquis-Boire thinks there’s also a disturbing corollary to that theory: Once activists flock to a technology, surveillance and malware are sure to follow. Marquis-Boire is set to talk about what he has seen today at the BlackHat security conference in Las Vegas.

Several of these exploits have been previously disclosed, including in an article today in which Bloomberg reporter Vernon Silver found several pro-democracy Bahraini activists who had received suspicious emails and sent the software to the team at Citizen Lab for analysis. Citizen Lab believes the malware is a product called FinFisher, a type of Spyware made be U.K.-based Gamma Group.

The Wall Street Journal wrote in November about Fin Fisher and other types of “off the shelf” surveillance products for governments and law enforcement. In documents obtained by the Journal at the time, Gamma said Fin Fisher could be installed by “sending fake software updates for popular software.”

In the case of the Bahraini emails, however, the malware was disguised in an email purporting to be from an Al Jazeera reporter regarding tortures and arrests in Bahrain. Certain characteristics of the malware matched those in test versions of Gamma’s product, but information was sent back to a server in Bahrain, Citizen Lab wrote in a blog post.

A representative from Gamma did not immediately respond to a request for comment.

Marquis-Boire said in an interview that pro-regime forces have several “favored methods” of getting at activists online. “Compromised Skype accounts of trusted friends is very popular,” he said, as activists have looked to the Internet telephony service because they don’t trust the state phone systems.

Pro-regime forces also will tailor their attacks depending on the country, Marquis-Boire said. In Libya, for example, activists have been swapping Google maps to indicate areas of interest. But now, the surveillance forces to use fake versions of those maps as a way to get malicious code onto people’s computers.

“You would get files that were allegedly these maps passed around, claiming to be Gadhafi’s current location or something in map form,” he said. “So you’d open it up, and then it logs all your keystrokes and sends them to an IP address in Libya.”

In Iran, after one particular type of anti-censorship software took hold, another version of the program showed up that installed not only the software but also a “back door” into the computer allowing surveillance of the machine.

So what can be done? The team at Citizen Lab said it is sending evidence from the Bahrain malware to antivirus developers so they can help people detect it. Otherwise, the advice for avoiding potentially deadly malware is basically the same as the advice for avoiding the less lethal kind: “It pays to be especially cautious when downloading files over the Internet, even from links that are purportedly sent by friends,” the Citizen Lab researchers wrote.


For the latest news and analysis,

Get the latest breaking news and reviews from our personal-tech team delivered to your inbox.