I was a hair’s breadth away from arriving — unannounced and unexpected — in the middle of a motorcycle rally, brandishing my camera for a fake photography job, and all because I believed the content of an email that I thought was sent by a friend.
When Cofense, a phishing simulation provider that works with enterprise companies to help train their staff to spot fraudulent emails, approached me to see whether or not I would fall for such schemes, I doubted it — secure in the knowledge that as a frequent recipient of these types of messages I should be able to spot them without a problem.
Today, when, it’s no longer about spray-and-pray spam messages sent to countless email addresses at the same time, waving the promise of Spanish lottery winnings or funds bequeathed by a recently deceased, long-lost relative from Africa in your face.
If you are a valuable target, cyberattackers will take their time and craft malicious messages just for you.
This is known as spear-phishing or a “whaling” attack. If a spammer is after a big fish, such as a company executive or public figure, simple fake emails will likely get no further than the first barrier an email gatekeeper throws up.
So-called whales are specifically selected for their individual value. This could be their personal wealth or access to sensitive information within a company … such as a direct line to the accounts department.
In order to reel in these targets, black hat hackers and fraudsters make use of social engineering. This can include reconnaissance across social media networks such as Facebook, Twitter, and LinkedIn; tracing email addresses in a bid to find online accounts of interest; scanning groups and public profiles to piece together a picture of their interests, personal connections, and more.
All of this is designed to build a map of the target’s connections, friends, family, personal details, and history to identify what the individual may consider trusted sources.
For spear-phishing emails to succeed, messages must appear to be from credible contacts or businesses. Email addresses can easily be spoofed, names faked, and threat actors may employ company logos, signatures, and personal details to enhance their credibility.
I wanted to see, given my more thorough understanding of phishing than the average individual, just how susceptible I would be to a targeted spear-phishing campaign over the course of two weeks.
Cofense set out to compile a dossier on me as a person, my interests, family, friends, and more — resulting in some exceptional social engineering attempts, as well as exceptional embarrassment on my part.
The team attempted to fool me into engaging with phishing emails to potentially click what would be — outside of our simulation — a link leading to malicious content that could include fraudulent domains or malware payloads perfect for hacking my system.
If I fell for any of the attempts and clicked through, I would be met with a page saying “Hello Charlie” with the Cofense logo and a smiley emoticon of which I quickly developed a hatred for alongside an irrational desire to punch my screen when it appeared.
The first wave
The first few were recognizable phishing attempts, involving a fake delivery note from DHL and an “Order Confirmation” from what appeared to be Amazon, given the similarity of the branding.
I then received a [ clipped message ] email containing a link to the ‘original message’ — a common phishing method used to bypass Secure Email Gateway (SEG) controls, such as those offered by Microsoft and Proofpoint.
So far, so good, and my dignity is maintained. Well, at least for a few days.
As a spear-phishing attempt it was beautifully crafted but requires some context to explain.
I have been part of the motorcycle scene for many years. Many of my friends are still active in the biker community, and sometimes, I go to a popular rally, which involves camping and live music over the course of several days.
I missed the event last year — a fact which the phishing team was not aware of, but important in relation to why I was reeled in.
During its research, Cofense learned I am a photographer on the side (more for the joy of it than commercial gain) and my website — albeit little more than a placeholder at present — advertises this fact publicly.
One wedding, in particular, caught their attention. I provided photos of the big day as a wedding gift for the bride and groom, friends I have known for years and both of whom are involved in the biker community.
Cofense zoomed in on some of the public pictures and connected the couple with a motorcycle club. A Facebook search found their page and the groom’s name — giving the phishers not only a connection to the club, which happens to run the rally, but also his nickname.
I received a message from the now-husband, and while I generally talk more with his wife, it was not that out of the ordinary. In the past, requests for motorcycle club event photography would have gone through their social secretary, but due to recent personal changes, it was potentially understandable for a different member of the club to get in contact with me instead.
The email, using his name, asked me to fill in for a photographer that had to drop out due to a family emergency. As I didn’t know who took photographs last year during my absence, I didn’t deem the request suspicious. In addition, the message was signed off with his nickname. The email read:
I didn’t click the event link, purely because as a frequent guest of the rally who knew the club well, I didn’t need to, and therefore also failed to realize the domain linked within the email was completely fake and had been acquired by Cofense as part of the simulation.
I also glossed over a poster embedded in the message which while very similar to the true event poster, was missing key details such as the club’s full name.
Perhaps if it hadn’t been 10 pm at night when the email was sent and I wasn’t enjoying my second glass of wine at the time, I would have noticed.
Instead, I responded to the email as I would have done if the sender was actually my friend — letting him know I could do the Friday and Saturday nights, asking if I could pitch up my tent with the club and if beer tokens were acceptable in lieu of payment, finishing off the reply with an X.
I spent the remainder of my evening wondering which camera lenses to bring, where my tent was, if I still had an airbed I could use (and where did I put that pump?), and who could possibly cat-sit for a day or two at such short notice.
Not to be satisfied with making me believe I would be on a campsite over the weekend, the next day, my loyal phishers tried again to lure me into clicking a link, sending the following response:
“Perfect. Thanks so much for helping. Actually, thinking about it, knowing how good my wedding photos were I’m quietly pleased our planned photographer had to pull out. His shots last year left a little to be desired….I think he’d enjoyed the bar a bit too much. Take a look! LOL”
.. as well as a link to what appeared to be images stored via Google.
The mention of his wedding photos alone was enough to elicit trust and enough to fool me into clicking the image gallery link — much to my mortification when I realized I’d been conned.
The phish was such a blinding success that in the email to my ‘friend,’ I also mentioned my former partner. This gave the phishing team even more ammunition against me, leading them to source all of his social media accounts and photos of us, which could have been used in new, targeted campaigns.
If the phishing simulation had been legitimate, not only could this have resulted in a visit to a malicious website or the delivery of malware payloads, but it could have also compromised my physical security. If a threat actor managed to find my home address and sent me on my way to an event, they could have taken the opportunity — knowing I would be absent, at least until the scheme was uncovered — to infiltrate my home while I was away.
It might sound like a bit of a stretch, but stranger things have happened in the world of social engineering.
So, what next?
The team graciously gave me a day or two to recover from my crippling embarrassment. The next message attempted to lure me into visiting a link which promised to provide a recorded voice message, apparently sent by one of my editors — and made use of their genuine cell number. This phishing attempt failed, as I never receive voice-based messages.
If it was that important, my colleague would simply email or call me directly. Also, I have an irrational hatred of voicemail, so I would email back anyway, regardless.
The next example I spotted was a simple attempt, in which the name and email address of a colleague was spoofed. The message said a calendar had been shared with me. This one, too, failed — not because it did not appear legitimate, but purely because we do not share calendars in the interest of preventing widespread schedule chaos.
The next phishing message was a close call. Coming in with the subject message, “Speaker Invitation for 2020 Consumer Products Conference,” this image-based email asks me to consider speaking at the fake event. The layout of the message, the language used, the mention of us apparently meeting at the Qualcomm conference — an event I attended in Hawaii last year — all of it appeared perfectly plausible.
So, why did this fail? For one reason and one reason alone. It was sent in the middle of a busy day and I forgot to respond, and then the email became submerged in the normal deluge of hundreds I receive a day.
Wonderful. The phishing team clocked on to the idea that as someone who publishes online, I receive emails on occasion over spelling mistakes or grammar issues. Reporters do receive these emails — albeit not always as polite as the phishing attempt below — and generally speaking, they can be useful.
The email was sent late at night and so I picked it up first thing in the morning. I wasn’t quite awake and so even though the messenger said a screenshot was below and instead provided a link, the brain fog had yet to pass into an almost-functional mist, and I clicked.
The air was then tainted with my scream of outrage and a selection of colorful curses that would never be uttered in my grandmother’s earshot.
Social media sleuthing resulted in a list of probable family members ranging from my brother to cousins, their partners, and kids — mainly due to one particular family member who had a very open, public presence online. One of my cousins recently married and this provided the fodder for another malicious email.
In this one, my cousin was impersonated through a shared Google Photos wedding album. While I have been expecting a genuine gallery to turn up at some point, this email rang alarm bells as my cousin did not have my email address to my knowledge, and the images pulled as preview photos were already on social media.
My dad’s car, a Jaguar, is the beacon of light in his eyes and holds a prominent place in both his heart and on social media. The team discovered this and used the vehicle as bait in a refund phish.
Sadly, I am not the proud owner of such a glorious specimen of a car and as the email was addressed to my dad, there was no real reason for me to take the bait. Bin.
Last but not least, a Twitter hack
The team mapped my connections and honed in on one of my best friends, who ironically happens to be a police officer that deals with fraud and online scams on a daily basis.
After confirming the friendship via social media, they posed as my friend, gave ‘her’ a spoofed email address, and send a panic-mode message claiming that my Twitter had been hacked together with a screenshot seemingly showing that my account had been compromised.
I knew this to be fake as the language used in the email didn’t suit her. However, having sent a very similar message myself to a former colleague (together with a screenshot) when their personal website had been graffitied with political propaganda years back, I can see why this could work.
After the simulation ended, I was provided with a dossier of all the information the Cofense team managed to gather on me. Frankly, it was terrifying.
Everything was gathered through public sources in what is known as open source intelligence (OSINT). Some of the information was a surprise to me, including social media accounts owned by friends and family which I did not know existed and yet mentioned me in some manner, and while my personal accounts are fairly locked down, a lot of data was harvested from the too-open profiles and social media presence of my connections.
The point to remember is that in the world of social media, our friends and connections share responsibility for our privacy, too. One weak link in the chain, whether this is an open Facebook profile or an innocent tweet and photo sent out into the ether, can provide key information which determines a spear-phishing attempt’s success rate.
You should be skeptical of every email you receive, especially given that our privacy is also in the hands of others. Whilst easier said than done when you have a constantly full inbox to tackle, as I learned throughout this experiment, reigning in immediate emotional responses and curiosity can mitigate the risk of you ending up with compromised accounts or devices.
How to protect yourself from phishing attacks
Cofense provided a set of recommendations to help you stay protected:
- Be skeptical of each and every message, especially when you are busy or rushed.
- Keep your emotions in check.
- Be suspicious of stories that are too good/bad to be true.
- Examine the link. Hover over it on a desktop to see the destination or hold for a few seconds on mobile (don’t tap!).
- Be cautious with mobile devices. The small screen makes indicators hard to spot. Most emails can wait until you are at your desk where it’s easier to take a closer look.
- Do not click links in an email. Rather, navigate to a familiar and legitimate resource if you can, ideally through bookmarks.
- Do not download attachments out of curiosity.
- Verify the sender. Even if you know the sender and something seems off, reach out to that individual using his or her telephone number or another contact method listed in your contacts or in the company directory.
- Report any suspected phishing attack to your IT team/supervisor to prevent others from falling victim to the same email.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0