
I was seven words away from being spear-phished - _ttg
https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-phished/
======
decasia
It's impossible to overestimate the power of expectations to create trust
(even in the face of contrary indications).

This just almost happened to me this week: A couple of days ago I wrote an
email to a friend I hadn't been in touch with for several years. A day later I
got a message from him on Facebook with what looked like a YouTube link and
the cryptic message, "It's you?"

I didn't want to see myself on a random youtube video I had never heard of, so
I wrote back that I didn't want to click.

Then the next day my friend announced that his account had been hacked and
that those messages were spam/malware, with a bad impersonation of a YouTube
link. But I was so sure it was a legit message from my friend that I didn't
even notice that the link didn't actually go to YouTube. Fortunately I never
clicked it, but just like the OP, it was blind luck.

[edit: fixed wording]

~~~
throwayEngineer
Okay but let's be clear. Clicking a link won't steal your information.

Going to a bad link and giving your details is how you are phished.

~~~
magicalhippo
Couple of years ago a significant news site here in .no had their ad network
hacked. The result was that if you were browsing that site that morning, and
was a customer of the largest bank in .no, you'd silently got served some
software which would do a MITM attack against the online account page of said
bank, redirecting any payments you did without your knowledge.

All you had to do was to visit that site with Java installed on that computer,
which most users of said bank did because their 2-factor login relied on
Java...

So yeah, don't click on random links.

~~~
autoexec
I use firefox which I've locked down pretty hard. No site gets to run active
content of any kind by default. No java, not even javascript. That and all the
ad-blocking really limits likelihood of my getting infected from just an
initial click, but even that isn't foolproof. IE once managed to let attackers
get you just by viewing an image (CVE-2005-2308)

~~~
sangnoir
0-days are not limited to javascript - the next one might well be in the
canvas/image/svg renderer. When someone has targeted you with a 0-day and you
load the site they compromised website, all bets are off.

------
matthewowen
The specifics of this - the request to judge a prize one is clearly
unqualified for - are we as software engineers particularly vulnerable to?
Most people would, I think, conclude "this is fake, because why would I be
asked to do this?". But I often think that as software engineers we fancy
ourselves to have more insight into other fields than we really do. Does this
ring true to anyone else?

~~~
jjoonathan
Nearly every contest I've ever competed in has had judges who I didn't believe
were vigorously qualified. Perhaps not in the final round, or in the most
competitive sections, but they were there, somewhere, filling in the gaps. On
the other side of the equation, I regularly got "please judge this contest"
emails I wasn't qualified for while I was still in academia.

Falling for this phish woudln't need to be a matter of inflating one's opinion
of oneself, it could simply happen by knowing that at the low end of contests,
the bar for judging is low.

------
stordoff
> Looking back it’s obviously completely absurd that the University of
> Cambridge would ask me to judge an economics competition

I don't think this really matters all that much. I might click the link anyway
to find out what it is, or to find out why I am allegedly being considered, or
even just out of general curiosity. It doesn't _stop_ the attack from working.

~~~
jjwhitaker
I think a process like with unwarranted phone calls is in order. Take the name
and contact info provided but Google for the information yourself and contact
the official site/email/phone number for information.

~~~
safetyfirstb
A word of warning: go to the actual site and find the contact details there.

I've seen an attacker change the contact details listed on Google search
results (the ones that appear in the boxes) to their own.

I saw it used as part of a Windows help center scam, but I don't see why it
wouldn't work here too.

~~~
jjwhitaker
That is what I had meant but not how my wording ended up. Verify the contact
info from the vendor/firm's site itself if possible.

------
scotchmi_st
This is a fascinating story. It's funny though how, with compromised accounts
at a highly reputable university and a 0-day exploit in one of the most-used
pieces of software out there, they still managed to make basic grammatical
errors in their phishing email. I mean, these people were clearly not messing
around. Their attack(s) were highly targeted. And yet they still didn't check
their written english!

If it hasn't already been tried, perhaps it's worth building a spam-blocker
which checks for bad grammar and increases the spam score for every mistake
found.

~~~
antiviral
Can any of you recommend a way to create a sandbox that can seal off processes
within a computer?

One option is to use a VPC on a cloud-hosted machine to access whatever
emails, links, websites someone sends you, but this can be time-consuming and
costs money.

This article claims that Docker would also not be a good solution:

[https://security.stackexchange.com/questions/107850/docker-a...](https://security.stackexchange.com/questions/107850/docker-
as-a-sandbox-for-untrusted-code)

"...container solutions do not and never will do guarantee to provide complete
isolation, use virtualization instead if you require this."

So is there any other way to create a sealed off sandbox on your own machine
that would create a type of moat between your machine and your adversary?

~~~
noir-york
I had written a jail for Windows a long long time ago - it was inspired by
Unix's jail.

For an app you could configure what filesystem and registry access was allowed
and you could redirect FS access.

Implemented it as a kernel driver that hooked into the relevant system calls.
It was easier to do kernel dev back then (we are talking mid 2000's) - i
havent touched windows kernel coding in years.

I wonder if Microsoft has implemented a jail for processes in recent versions
of windows. Running browsers in a VM can be cumbersome.

~~~
jakejarvis
Agreed about VMs in everyday use, and I'm wondering if the new Windows 10
Pro/Enterprise sandboxes would be a sufficiently safe alternative in these
scenarios. After skimming this white paper it seems like they would, but I'm
no expert in this area:

[https://techcommunity.microsoft.com/t5/Windows-Kernel-
Intern...](https://techcommunity.microsoft.com/t5/Windows-Kernel-
Internals/Windows-Sandbox/ba-p/301849)

------
undecisive
Cool post. One small nitpick:

> Neil describes his pre-university education as “High School”. We don’t have
> “High School” in the UK - we call it “Secondary School”

Not true at all I'm afraid. Where I'm from (Norwich) we had First / Middle /
High School / (Sixth Form or college) splits, alongside other schools that did
the Primary / Secondary / 6th split.

~~~
jermaustin1
I've also seen High School used in Scotland

~~~
dboreham
Cane here to say the same thing, e.g.
[https://en.m.wikipedia.org/wiki/Inverkeithing_High_School](https://en.m.wikipedia.org/wiki/Inverkeithing_High_School)

Although, there's a subtle difference vs US usage: in Scotland High School is
only used in the context of the name of a specific school, not as a term for
the generic concept. E.g. "What secondary school did you attend?"; "I went to
The High School" (meaning the Royal High School in Edinburgh). You'd never say
"What high school did you attend?".

~~~
davb
Even that point varies regionally. Where I grew up, in Glasgow, it's really
common to talk about primary school kids going off to high school or talk
about which high school you attended.

~~~
teh_klev
Agreed. I'm in my 50's and even back in the late 70's in Scotland you'd hear
folks use "secondary school" and "high school" interchangeably. I myself went
to a Scottish "High School" for my secondary education in the 70's/80's.

------
mrmattyboy
"Neil, if you are real and this is your real LinkedIn profile then I am so
sorry. But if you’re so real then why did you copy someone else’s self-
description?"

I would love to find out that the profile _is_ real, and that the JPMorgan
dude is actually a fake profile for another scam (for trying to cheat people
out of money), who stole this guy's self-description :P

The beautiful outcome being that he'd have publicly shamed and picked apart
the guy's entire profile and foiled another scam in one hit :)

------
kache_
It's always nice to get a good healthy dose of paranoia in the morning. This
makes me think back to how my sec professor had a separate system that he'd
use to access his online banking.

~~~
gruez
To be honest, that's probably overboard. You're pretty much never liable for
fraudulent fiat transactions. Crypto on the other hand...

~~~
noxToken
Part of the fallout from fraud isn't being afraid of losing money. Banks and
credit unions are generally on your side when it comes to disputing fraudulent
charges. The hassle is getting it all sorted out - verifying identity with
sometimes completely inept telephone reps, replacing cards, entering new
payment information for recurring charges, etc.

~~~
gruez
On the other hand, there's also a cost to taking security measures. The time
needed to maintain/switch to that separate system has a cost. There's a
study[1] on this, but it's done with simple security measures with an
unrealistically high probability of getting hacked.

[1] [https://arxiv.org/abs/1805.06542](https://arxiv.org/abs/1805.06542)

------
miles
A case of "flattery will get you everywhere":

> I received a very flattering email from the University of Cambridge, asking
> me to judge the Adam Smith Prize for Economics ...

> I wouldn’t say I’m an “expert” in economics exactly, but the university’s
> request wasn’t that surprising. I do have a subscription to The Economist
> ...

> I’ve read a few books by Paul Krugman, but aside from that have never
> studied or practiced economics

~~~
proactivesvcs
Which, in my experience, is not a typical tactic employed by phishers. Usually
it's greed (Here's $50 million for you) or alarm (You've been hacked!).

------
uj8efdkjfdshf
That's interesting - there is indeed a grh37 at Cambridge but he's an
undergraduate studying Chemistry at Selwyn. No idea about how that happened,
but there's been a bunch of really poorly written Emotet/Heodo spam emails
floating around the email system the past few years. I'd guess that he managed
to get his account compromised while logged into Windows on a UCS computer
(which would be a feat in itself, given how poorly written the first stage
dropper is), his UCS account got compromised, and someone uploaded the
malicious website to his public_html folder.

EDIT: Apparently they've blocked new user signups for DS-Web, but this is
kinda pointless given that every new student is automatically given their very
own live website until they graduate.

------
starman100
This "spear" was also for a MacOS vulnerability. No doubt most Mac people
think they're immune to viruses and malware, making this even more effective.

It is very well thought out attack.

~~~
panpanna
A lot of recent high profile targeted hacks have been against macos (poker
stars, Saudi activist, Chinese activists, ...).

Let's just agree that all platforms are vulnerable and anyone telling you
otherwise should not be trusted.

~~~
closeparen
All platforms are vulnerable; it does not follow that running commercial anti-
malware products is good idea, or even likely to make you less vulnerable, on
every platform, which is the usual context for "Macs and viruses" arguments.

------
js2
I thought myself fairly well informed about macOS, having run it since the
10.1 days, administering it over the years, etc. But TIL that the quarantine
bit and gatekeeper which normally prevent unauthorized executables from
running is trivially bypassed, as was the case in this attack.

My paranoia level has increased.

[https://objective-see.com/blog/blog_0x43.html](https://objective-
see.com/blog/blog_0x43.html)

[https://speakerd.s3.amazonaws.com/presentations/9e724ea23343...](https://speakerd.s3.amazonaws.com/presentations/9e724ea233434f9fb083bff26bc7fb4b/ShmooCon_2016.pdf)

Yeesh.

~~~
ultrarunner
I just checked my login items and found runChmm, adware that was apparently
installed as part of an FTP client used at work. I was trying to replicate a
scenario we see at work and got adware. Paranoia level increased indeed.

------
kazinator
> _But all it would have taken is for the attackers to add the 7 words “THIS
> PAGE MUST BE VIEWED IN FIREFOX” to the top of their page, and I’d have been
> toast._

Unless you were smart and ran the NoScript extension or something similar.

Landing into malicious pages happens; you're not going to avoid it with 100%
accuracy and have to be prepared with some sort of countermeasure.

------
iandanforth
Note for the nitpicky, the attack discussed made use of not one, but two
0-days to accomplish the sandbox escape.

[https://www.zdnet.com/article/mozilla-fixes-second-
firefox-z...](https://www.zdnet.com/article/mozilla-fixes-second-firefox-zero-
day-exploited-in-the-wild/)

------
ejstronge
> The joke was at least partially on them, since I’ve never owned any
> cryptocurrency other than a handful of Stellars that I got for free and have
> lost the password for. If they or any other attackers can help me get them
> back then I would be very grateful.

This also happened to me - and after returning to the Stellar site years
later, my old login did not work, and the page looked nothing like it used to.
Were the free Stellar tokens ever really granted?

------
barking
I presume that I can I take it from the lack of comment on the Firefox angle
that there are no concerns that Firefox is inherently less secure than Chrome?

~~~
larrik
Chrome had a nasty one back in March, so your presumption seems correct.

Really, the best way to protect yourself is to use an obscure OS, or a
separate machine for web browsing. Sounds paranoid, but the web is THE main
attack vector these days.

~~~
mnw21cam
There are disadvantages to using an obscure OS too, in that it is likely
slower to get security fixes, and may have more security flaws.

~~~
albertgoeswoof
The only logical answer is to write your own OS

The ultimate security by obscurity

------
myrandomcomment
<soapbox> Every time I open the UI for the Ubiquiti UniFi console in Safari it
complains that Safari may not work correctly and suggest Firefox or Chrome.
Every time I curse at it, ignore it and have had no issues. The simplest way
for me to not do want you ask is for you to tell me best viewed in X. If it
does it working in Firefox, Safari, Chrome and Edge, then £#&$*=+&$% you. Do
your job and test on the major platforms. My current company has a web UI and
I make it a point when using the product to open it in a different major
browsers each time I touch it. If there is an issue I file a Jira ASAP vs the
UI team. </soapbox>

Okay I know this is about the Firefox security bug, but just a general rant
anyways.

------
ryandrake
I suppose it's easy to "Monday Morning Quarterback" this one, especially after
we now know it's a hoax, but honestly this is more fuel on the fire of: Never
respond to random people on the internet asking you for information or to do
something. Random people knocking on your door are almost always selling
something, and random people contacting you over the Internet are almost
always scammers.

The story could have ended at "I wouldn’t say I’m an “expert” in economics
exactly". Then why are you going and doing what this rando is asking you to
do? Deep six the E-mail and move on with your life.

~~~
CPLX
That's just really not true. Especially not in a professional setting.

I deal with this personally all the time, as the founder of a national
conference series. We reach out to people cold all the time and invite them to
prominent speaking roles. Sometimes people are surprised to hear from us or
don't think of themselves as public speakers but we're most certainly real and
serious.

I get it the other way all the time now too, people reaching out wanting to
partner, work together, have us write articles about them, whatever.

These are all super common use cases. There's a lot of business that gets
started by an introduction from a random person on the internet.

~~~
ryandrake
As is true for most HN posts, I should have prefaced with “In most but not all
cases...”

People who do not happen to be conference organizers or frequent recipients of
legitimate cold calls should, in most cases, ignore unsolicited messages from
strangers.

~~~
CPLX
Or business development executives. Or freelancers. Or journalists. Or
academics.

Or like anyone who has some level of networking as part of their job. Which is
a _lot_ of people.

The point being that most people need a better system than "ignore every email
that you get from a new contact".

------
dan-robertson
One thing the article goes into is all the signs that the mail was fake. I
think focusing on how one can spot such attacks is slightly silly for two
reasons:

1\. If these errors caused attacks to be unsuccessful then I expect
(competent) attackers would stop making these mistakes

2\. Plenty of real people make spelling errors or write single sentence
paragraphs or even plagiarise things (or have their own descriptions
plagiarised). Real people also host group things on personal sites. I think
relying on this sort of thing is too likely to lead to false positives (and
its a lot easier to spot the “signs” once one knows the email bad) and too
unreliable in the long term for reason 1.

One thing I wonder is how this sort of thing might be prevented. It seems that
once one’s pc is compromised there isn’t much one can do; newer security
mechanisms like security keys don’t help much if the device is compromised. I
don’t know how hardware bitcoin wallets (or similar devices) work so I can’t
say whether they might have protected the targets of this attack, although I
would guess they would not.

Sometimes I wonder if this is something there should be insurance for, but
would anyone buy it? I think it would have to start as insurance for companies
(which would require large numbers of companies to consider a breach like this
a major financial risk) before people but such attacks would have to be
unlikely enough to be successful for the insurance to be cheap. I suggest
insurance with the vague hope that an insurer would want their customers to be
more secure to decrease the chance they have to pay out. I don’t know if it
would work that way in practice.

~~~
rmtech
A hardware wallet is safe even if the computer is hostile. That's why they
exist!

However it's possible that some other attack method could be used, e.g.
compromising the user's email account and going from there.

------
pjdemers
I thought 0-day exploits could be sold for a significant amount if money. I
wonder if the hackers bought one, or, found one and thought they could make
more on their own than by selling it? And, if they did buy one, what was the
return on their investment?

~~~
zrobotics
If the 0-day can be sold, then what do the purchasers do to recoup their
investment? Aren't attacks like this one of the main reasons that a 0-day will
have value? Even malicious state-level actors will likely use the purchased
vuln in an attempt to gain access to a target system (potentially via similar
spear-phishing methods); although in that case their motivation will be access
to information rather than financial gain.

------
pierlu
I think the real moral of this story is that (like the fun vulnerabilities on
Flash and Java that we might remember), a combination of keylogger or strange
daemon might be running suddendly on your machine, scanning your files, either
on OSX or Windows. Simply visiting a website. So better (as said) is to use a
separate VM to access trusted domains (and yes, also VMs aren't these days so
trustable). Better to use 2FA and ciphering on-disk sensitive info and loose
the habit (if any) of storing a large number of files that streams from
locally mounted cloud accounts, like Google file stream, Onedrive files-on-
demand and so on.

~~~
danieldk
_So better (as said) is to use a separate VM to access trusted domains (and
yes, also VMs aren 't these days so trustable)._

I would use the VM for accessing untrusted domains. If an exploit has your
host system, then it also has the trusted VM.

 _ciphering on-disk sensitive info_

If an exploit has root-kitted your system, encryption does not help much.
Presumably you have the unencrypted volume mounted, moreover, the attacker
could log keystrokes.

If your machine is compromized, it is basically game over. Change all your
bank accounts, e-mail, etc. credentials immediately, wipe the disk. By
suspicious about any file the malware may have touched.

------
tempodox
Systematic dropping of definite article makes me suspect the author may be a
native speaker of some eastern language with limited knowledge of English.

~~~
albertgoeswoof
It’s odd that they would have limited knowledge of English yet understand the
prestige of Cambridge, be able to create genuine looking linkedin pages and
target the attack so well. If you’re going to that much trouble running a
spell checker over he email would seem like a reasonable step?

Most likely it’s a deliberate attempt to target people who are excited enough
by the email to not notice the grammar.

~~~
fwip
Foreign language speakers aren't stupid. You can Google "famous school
England" in any language.

There's no "second step" to this con. You don't have to get tricked into
wiring them money. If you visit the page, you lose.

~~~
albertgoeswoof
Exactly, they’re not stupid. So you’d expect them to use a spell checker if
they intended for the attack to have a high success rate on English speakers.

There may have been a second step for the attackers goals after the zero day,
e.g. ransomware or some other social engineering

~~~
tempodox
A spell checker still doesn't detect faulty grammar.

~~~
ndiscussion
A sufficiently good one does, grammarly being the most well-known example I'm
aware of.

------
dheera
Funny that the browser that has been selling so much on privacy falls victim
to such a vulnerability.

In any case, if a site says "this site must be viewed in Firefox" that would
be a huge red flag, and all the more reason for me to leave. There aren't
really any features in Firefox that other browsers don't have.

~~~
feanaro
> Funny that the browser that has been selling so much on privacy falls victim
> to such a vulnerability.

All browsers fall to such vulnerabilities -- Chrome had one in March this
year. The difference is that some browsers (again, Chrome) are malicious by
design instead of only by accident.

------
Dylan16807
There are valid points about being tricked here, but it's all kind of
irrelevant in the presence of a javascript 0-day. You don't actually have to
trick anyone to use one of those; just make an interesting post on tumblr and
away the hacks go. Trying to never get hit with a 0-day is a pipe dream.

------
fencepost
The two questions that immediately jumped to my mind on this are

1) does Coinbase's user base skew more towards Firefox than the average,
possibly because of perceived better security/privacy and a desire for that
among cryptocurrency users?

2) did the zeroday impact Tor browser users, and does Coinbase have a lot of
those?

~~~
easymodex
I don't think Coinbase users are looking for security/privacy. To be specific,
Coinbase is considered a novice cryptocurrency user platform since they have
some relatively hefty fees in exchange for being simple to use AKA "It's for
normies".

------
luckylion
Is it still spear-phishing when it's not a phishing attack but an 0day? Is
there a better term?

~~~
gruez
AFAIK spear phishing refers to the fact that the attack is tailored/targeted,
rather than mass mailings.

~~~
shawabawa3
The "spear" means it's targeted, but it's still "phishing" \- meaning the
attack vector is a cloned version of a legit page

I guess this should be called spear-hacking?

~~~
PeterisP
This seems to fit the classic definition of spearphishing; the atack vector is
an impersonated/fake version of a legit _email_ and its sender. No matter if
the payload is in the form of an attachment or web link or a request for some
physical action (e.g. please scan and send a copy of your ID) that would fit
the phishing title.

------
somebodythere
If you have a significant amount of cryptocurrency, get a hardware wallet.

------
jbigelow76
I'm seriously thinking a dedicated Docker container just for reading email is
a pretty good idea.

~~~
hdfbdtbcdg
How would that help?

~~~
0xffff2
It would mean you need an additional vulnerability to escape the VM sandbox.

~~~
hdfbdtbcdg
Yeah if you check email in a VM. But how would a Docker container help?

~~~
0xffff2
Maybe I'm using terms interchangeably when I shouldn't be (I haven't jumped on
the containerization bandwagon), but a Docker container is still just a "VM
light", right? Part of its purpose is to isolate the things running inside of
it from anything else running on the system. I'm fairly certain my comment
still stands if you just `s/VM/container`.

~~~
hdfbdtbcdg
No.

Docker isolation is for convenience not security isolation.

------
noja
So did the attackers get control of a Cambridge e-mail account and web page?

~~~
jakejarvis
That was probably the easiest part of their escapade, sadly — spoofing a WiFi
access point with a fake portal comes to mind. Or posing as IT and mass-
emailing the university directory (which are rather easy to scrape at most
universities), keyloggers on lab computers, etc. Always possible that it could
have been as simple as just asking!

Out of ~20,000 students and ~10,000 staff, they only needed to get lucky once,
unfortunately.

------
ponyous
How can I check if I am infected?

------
aziraphale
> Neil describes his pre-university education as “High School”. We don’t have
> “High School” in the UK - we call it “Secondary School”. This might make
> sense if Neil was American, or trying to communicate with an American
> audience, but there’s no indication that this is the case.

Many secondary schools in the UK still have "High School" in their name. I've
always used the two terms interchangeably, but maybe that's because I went to
"<TownName> High School", or maybe it's because I'm old.

~~~
mnw21cam
This particular school (the Perse, in Cambridge) calls its secondary section
the "Upper School". It's also quite expensive.

------
DangerousPie
I don't understand the point of using compromised Cambridge accounts for this.
All they wanted people to do was to just click on a link. They could have
easily registered some legitimate sounding domain name and linked to that
instead. It wouldn't be unusual at all for an academic organisation to have a
separate site.

~~~
edent
It is a prestigious domain - with a high recognition factor. And, as part of
that, it will almost never be blocked by URL / DNS filters.

In this case, it clearly worked. The user saw cam.ac.uk and trusted it.

~~~
adam12
I wonder if the attackers were also thinking that these users would more
likely be using macOS. The exploit they were using only works in Firefox on
macOS.

