Pay No Attention to the Server Behind the Proxy: Mapping FinFisher's Continuing Proliferation

Abstract

Special thanks to Citizen Lab colleagues Morgan Marquis-Boire and Claudio Guarnieri, as well as Ron Deibert and Masashi Crete-Nishihata. Special thanks to the Open Technology Fund. Thanks to Vern Paxson and Jason Passwaters. ; This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher's "anonymizing proxies" to unmask the true location of the spyware's master servers. Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources.