Hacker News new | past | comments | ask | show | jobs | submit login
I was seven words away from being spear-phished (robertheaton.com)
436 points by _ttg 5 months ago | hide | past | web | favorite | 180 comments

It's impossible to overestimate the power of expectations to create trust (even in the face of contrary indications).

This just almost happened to me this week: A couple of days ago I wrote an email to a friend I hadn't been in touch with for several years. A day later I got a message from him on Facebook with what looked like a YouTube link and the cryptic message, "It's you?"

I didn't want to see myself on a random youtube video I had never heard of, so I wrote back that I didn't want to click.

Then the next day my friend announced that his account had been hacked and that those messages were spam/malware, with a bad impersonation of a YouTube link. But I was so sure it was a legit message from my friend that I didn't even notice that the link didn't actually go to YouTube. Fortunately I never clicked it, but just like the OP, it was blind luck.

[edit: fixed wording]

A few days ago, I also received the same message from a friend with a link to a fake youtube page, but unlike you, I actually clicked it despite intuitively knowing that it was malicious. Seemed like a "regular" phishing attempt but I now wonder if it is more than that, having read this article.

Probably not a good idea to click a link you know is malicious, you never know what 0-Day they might have

That's what I keep my old Blackberry Z10 for. If I get something weird or want to go to dangerous places on internet (for research obviously) I use that thing. I'm pretty sure know one writes a 0-day for a 0.0% market share device.

Is your blackberry on your WiFi network? I’m guessing it hasn’t had a security patch in several years?

Be aware that an attacker could be automatically looking for exploitable devices just like z10 that and using that as a jump box into your network.

I use it mostly at home where it sits in the guest wifi(all connections between devices prohibited)

This is great, finally a use for old tech!

Right. 0-days did not not cross my mind. Until now.

Also, don't browse outside of your own VM...

I fell for a fake download button once, and it was when I was already working in IT. Not something I admit freely

Okay but let's be clear. Clicking a link won't steal your information.

Going to a bad link and giving your details is how you are phished.

Couple of years ago a significant news site here in .no had their ad network hacked. The result was that if you were browsing that site that morning, and was a customer of the largest bank in .no, you'd silently got served some software which would do a MITM attack against the online account page of said bank, redirecting any payments you did without your knowledge.

All you had to do was to visit that site with Java installed on that computer, which most users of said bank did because their 2-factor login relied on Java...

So yeah, don't click on random links.

I use firefox which I've locked down pretty hard. No site gets to run active content of any kind by default. No java, not even javascript. That and all the ad-blocking really limits likelihood of my getting infected from just an initial click, but even that isn't foolproof. IE once managed to let attackers get you just by viewing an image (CVE-2005-2308)

0-days are not limited to javascript - the next one might well be in the canvas/image/svg renderer. When someone has targeted you with a 0-day and you load the site they compromised website, all bets are off.

This attitude is exactly what the spear-fisher is hoping for! Mac people, especially, think their OS is "secure by design" (as Apple says it is) and there's no way they can be attacked.

Take another look at the article! This took advantage of a Firefox 0day that really could run software outside the brower's sandbox just by clicking on a link.

The article describes a Firefox exploit that lets a malicious page break out of the browser sandbox when viewed.

If that link has browser 0day, it can. If that link takes you to a page you expect to demand login creds (google groups, youtube, google docs), it can.

The specifics of this - the request to judge a prize one is clearly unqualified for - are we as software engineers particularly vulnerable to? Most people would, I think, conclude "this is fake, because why would I be asked to do this?". But I often think that as software engineers we fancy ourselves to have more insight into other fields than we really do. Does this ring true to anyone else?

Nearly every contest I've ever competed in has had judges who I didn't believe were vigorously qualified. Perhaps not in the final round, or in the most competitive sections, but they were there, somewhere, filling in the gaps. On the other side of the equation, I regularly got "please judge this contest" emails I wasn't qualified for while I was still in academia.

Falling for this phish woudln't need to be a matter of inflating one's opinion of oneself, it could simply happen by knowing that at the low end of contests, the bar for judging is low.

> But I often think that as software engineers we fancy ourselves to have more insight into other fields than we really do.

That hypothesis is easily confirmed simply by reading HN regularly!

In general that's a hazard of any knowledge worker job. Aren't physicists kind of infamous for thinking they can weigh in on other scientific fields, as if physics trumps everything else?

In any case, I think the "judge an economics prize" angle wasn't really intended to be a "software engineers are vain", but rather "people involved with cryptocurrency are likely to consider themselves to be experts on economics and think that they know better than most" so that actually seems like a very well-targeted phishing attempt.

They were targeting cryptocurrency people, not software engineers. And cryptocurrency people very often have an immensely inflated opinion of their own knowledge of economics, so it's actually absolutely perfect bait.

Ah, but can you be sure you're unqualified to judge a prize you haven't heard of without first visiting their website and figuring out what the prize is about?

Maybe the Adam Smith prize has a category for best embedded linux build system, or best strong beer...

It could be that they're setting up some new category related to tech or something, that would probably be my first attempt to rationalize why they sent the request to me. However, I think that a few minutes later I would've thought "but why would they ask an engineer and not an academic who has done research into this particular technology's contributions to economics?".

But, yes, I believe that the fact that software is transforming so much stuff all the time and we developers get to work with experts from all kinds of fields if we're lucky like agriculture, medicine, geology, finance and what not can give us a false sense of actually being an authority on any of the things we write software for.

> They ruthlessly exploited innocent people’s slightly over-inflated beliefs of their own abilities and importance,...

Inflated ego and/or the appearance of a rare opportunity (which would lead to further ego inflation) can cloud judgment.

Speaking personally, I would know myself to be unqualified, but I'd assume that someone's software picked up the fact that my name is on a refereed economics paper that has been cited over 100x.

So I could have fallen for this. Not because I have an overinflated sense of my own importance. But because I have a healthy respect for the erroneous conclusions that can be reached by automated incompetence.

> Does this ring true to anyone else

Not to me, and that jumped out at me as the most bizarre part of the story. I have a lot more of an economics background than "having read some Paul Krugman articles", but I'd think that this was obviously a scam because there's no way in hell that that anyone in the world would think I should be judging a competition on economics.

> Looking back it’s obviously completely absurd that the University of Cambridge would ask me to judge an economics competition

I don't think this really matters all that much. I might click the link anyway to find out what it is, or to find out why I am allegedly being considered, or even just out of general curiosity. It doesn't _stop_ the attack from working.

I think a process like with unwarranted phone calls is in order. Take the name and contact info provided but Google for the information yourself and contact the official site/email/phone number for information.

A word of warning: go to the actual site and find the contact details there.

I've seen an attacker change the contact details listed on Google search results (the ones that appear in the boxes) to their own.

I saw it used as part of a Windows help center scam, but I don't see why it wouldn't work here too.

That is what I had meant but not how my wording ended up. Verify the contact info from the vendor/firm's site itself if possible.

This is a fascinating story. It's funny though how, with compromised accounts at a highly reputable university and a 0-day exploit in one of the most-used pieces of software out there, they still managed to make basic grammatical errors in their phishing email. I mean, these people were clearly not messing around. Their attack(s) were highly targeted. And yet they still didn't check their written english!

If it hasn't already been tried, perhaps it's worth building a spam-blocker which checks for bad grammar and increases the spam score for every mistake found.

Besides the possibility that the mistakes were made deliberately, like other comments said, I can totally see how these two mistakes slipped through.

> He was also lucky that I didn’t care that he’d missed a “the” in We need your assistance in evaluating several projects for Adam Smith Prize.

Slavic languages, like Russian, don't have articles. In my experience the proper use of definite and indefinite articles is the most typical error native Slavic language speakers make.

> Apparently I further didn’t care that he’d unnecessarily capitalized the word Organizers in Adam Smith Prize Organizers, or that he didn’t seem to understand that a paragraph can contain more than a single sentence.

German capitalizes all nouns and German and English have plenty of nouns that are close enough that it's hard not get confused. Add to that all the exceptions where you do capitalize words in English, this is a hard problem for Germans.

My armchair linguists bet is that the mail was written by a German with Slavic roots.

I once read a theory that poor grammar, particularly with 419 scams, acts as a sort of gullibility filter where only the most susceptible targets will respond.

I doubt it in this case. It sounds like they had a browser zero-day, and could potentially steal cryptocurrencies from people they were targeting. You don't particularly care how gullible someone is; if you get your zero-day to successfully work on them and steal all their Bitcoin, there's nothing they can do about it.

I think the default assumption is the correct one here; the attacker(s) are a solo or small group of anonymous non-native English speakers, and the risk of getting another person in on it who is a native English speaker wasn't worth it. The smaller your criminal conspiracy, the better.

You may be overestimating the writing ability of native English speakers.

Agreed. The best example of this for me is nextdoor. The spelling and grammar for most of the posts are terrible and the posters are predominantly white and over 50.

The kind of mistakes a non-native English speaker makes tend to be different than ones an uneducated native speaker does.

I think that lack of an article 'the' is typical of native speakers of Slavic languages?

Slavs aren't the only ones though! Romance languages, while not completely lacking articles like Slavic ones, have slightly different requirements for articles. (They tend to use them more for abstract concepts, eg. "the reality" when we would say "reality", or "the <noun>(s)" for describing general behavior/attributes of that noun -- this difference may make speakers over-correct by using articles less in English)

Certain nouns are "inherently definite" -- names of people or places, for example, or abstractions or things which are inherently unique. Languages which mark definiteness often differ as to whether these inherently definite nouns, or which ones of them, should be marked as such. English generally treats them like proper names -- no article, definite or indefinite. Romance languages more often require the definite article. These are just two different ways of indicating the same underlying category.

It is. It took my father ~20 years of working in an English-speaking country to be consistent with his usage of that article.

If you're going to involve someone specifically for the purpose of writing English, then obviously you'd pick someone who's good at it. It's not a native/non-native distinction so much as it is "good at writing in English" vs not.

In this case though, since the zero day runs without consuming the attacker's time, what is to be gained by filtering out less-gullible people? If it's automated, why not cast as wide a net as possible?

Danger of discovery, perhaps? Every person who doesn’t end up judging the prize gets suspicious.

Fear of retribution/consequences?

Yup, it was a Microsoft Research paper IIRC. That's more applicable to scams that cast a wide net to avoid investing resources on savvier targets in the second, more labor-intensive phase. I don't think it would be too relevant to spear-phishing like this case where the resources are already invested in step 1.

Thank you!

When you're trying to trick people into sending money orders over seas that makes sense but not really when you're trying to get people to click a link that exploits a zero day to install malware.

I read in the past that this was intentional - it's a filter to ensure that people who are inclined to note detail pass up on the offer, meaning they only get the most likely prospects to be ripped off.

That’s likely true for the Nigerian prince scammers, but when they’ve got a browser zero day, they can successfully attack people that aren’t suckers.

True, but we don't know the next stage of their attack. Perhaps after compromising the target's machine the attackers would have to then engage in some social engineering.

They're targetting Coinbase employees and users, the logical next step is just to find the wallet file on the machine and steal the coin.

Once you drop a trojan on someone's machine, why do you need social engineering?

To your initial point, I assume that you're immediately thinking of a sloppy-writing person who's first language is English, as opposed to a hacker who learnt English as a second language. With the latter, it wouldn't be surprising that they spent less time learning a foreign language than learning about the technology that they're trying to attack

Can any of you recommend a way to create a sandbox that can seal off processes within a computer?

One option is to use a VPC on a cloud-hosted machine to access whatever emails, links, websites someone sends you, but this can be time-consuming and costs money.

This article claims that Docker would also not be a good solution:


"...container solutions do not and never will do guarantee to provide complete isolation, use virtualization instead if you require this."

So is there any other way to create a sealed off sandbox on your own machine that would create a type of moat between your machine and your adversary?

If you are interested you should check out Qubes OS: https://www.qubes-os.org/

It uses xen hypervisor to then launch separate VMs for your different applications. Not an OS for everyone but I have been running it for some time and have had a good experience with it.

I had written a jail for Windows a long long time ago - it was inspired by Unix's jail.

For an app you could configure what filesystem and registry access was allowed and you could redirect FS access.

Implemented it as a kernel driver that hooked into the relevant system calls. It was easier to do kernel dev back then (we are talking mid 2000's) - i havent touched windows kernel coding in years.

I wonder if Microsoft has implemented a jail for processes in recent versions of windows. Running browsers in a VM can be cumbersome.

Agreed about VMs in everyday use, and I'm wondering if the new Windows 10 Pro/Enterprise sandboxes would be a sufficiently safe alternative in these scenarios. After skimming this white paper it seems like they would, but I'm no expert in this area:


On Linux-based systems, Firejail [1] is designed specifically for that (originally for Firefox?). However, it's had quite a few CVEs of its own, and I don't know how effective it is in practice protecting against 0-day-type problems.

I believe this is the idea behind Qubes OS. Any virtualization system (virtualbox or whatnot) should give you some protection, at the cost of some convenience.

Running with javascript disabled except on a small set of sites will also help protect against many attacks.

That's what Java applets were supposed to be originally, they were supposed to run in a sandbox....

Not all sandboxes are created equal. Modern browsers have much better sandboxes than Java ever has had. OS level virtualization is even better.

If you read something like this [1], dated 1999, it seems like they had the right ideas. I guess it went wrong in the actual implementations.

[1] http://www.securingjava.com/chapter-two/chapter-two-2.html

By total coincidence, I was reading about Java sandbox exploits just a few days ago: http://phrack.org/papers/escaping_the_java_sandbox.html.

It feels to me (not a security guy!) like there was something fundamentally too complex here. I wonder if part of the problem is that unlike the browser, there's no natural boundary. JavaScript is was originally built to live in a small self-contained world with specific access to the outside. Java was built with features for writing applications that could touch the filesystem, redefine classes, and everything else. It was also supposed to make everything safe, but that led to complex checks everywhere to try to distinguish privileged from unprivileged code.

Dropping 'the' is a common error for Russians writing English. It's part of how the 2016 election meddling was blamed on the Russians.

Cool post. One small nitpick:

> Neil describes his pre-university education as “High School”. We don’t have “High School” in the UK - we call it “Secondary School”

Not true at all I'm afraid. Where I'm from (Norwich) we had First / Middle / High School / (Sixth Form or college) splits, alongside other schools that did the Primary / Secondary / 6th split.

In Buckinghamshire, one of the few places in the UK which still has selective state education (ie they test children at the end of primary school for broad academic ability and then send them to different state-funded secondary schools based on the results‡) they call most mixed or girl-only schools that you'd get to if you did "well" on those tests High Schools, with boy-only schools often named Grammar Schools although other combinations do happen.

‡ This causes an interesting phenomenon. Suppose you're a pair of moderately successful young parents, you _could_ afford to send your children to get privately educated but it'd mean money was tight and also you'd get called on it all the time because you're socially liberal and theoretically don't agree with private education. Well, Bucks Grammar Schools and High Schools have an excellent reputation, but the state pays for them. So, when the kids approach school age maybe you move to, say, Beaconsfield, a very nice town in Buckinghamshire where your kids would qualify (if they pass selection) for these schools. So immediately this drives up housing prices in Bucks.

But then later at selection age the options are all _terrible_. Unless you got very lucky your kid isn't smart enough to be 100% certain of getting in anywhere they want. Do you pay tutors to try to get your "not quite bright enough" kid over the line and pay off on this investment? Imagine if they spend the rest of their school life being the slowest kid in every class. That's not going to be a lot of fun, or a good psychological experience. Or maybe you decide to stick by your beliefs, and let them "fail" into a non-selective school, now they'll resent you. Perhaps you decide to spend money on private school if they "fail" - now they're the kid who was so dumb they're only at this school because they failed a test AND you're still out the cash.

And this choice comes up for each kid, if you are inconsistent they absolutely will know about it. And they're probably _all_ going to resent you both for it. And then you can argue among yourselves about whose fault this all is. Brilliant.

In my bit of Lancashire our secondary schools are usually officially called xxx high school and everyone says high school rather than secondary.

Same in Worcestershire when I was growing up there. It seems to vary regionally.

I've also seen High School used in Scotland

Cane here to say the same thing, e.g. https://en.m.wikipedia.org/wiki/Inverkeithing_High_School

Although, there's a subtle difference vs US usage: in Scotland High School is only used in the context of the name of a specific school, not as a term for the generic concept. E.g. "What secondary school did you attend?"; "I went to The High School" (meaning the Royal High School in Edinburgh). You'd never say "What high school did you attend?".

Even that point varies regionally. Where I grew up, in Glasgow, it's really common to talk about primary school kids going off to high school or talk about which high school you attended.

Agreed. I'm in my 50's and even back in the late 70's in Scotland you'd hear folks use "secondary school" and "high school" interchangeably. I myself went to a Scottish "High School" for my secondary education in the 70's/80's.

Interesting, was this when the High school (Glasgow High) was closed? I’m not clear on the dates, but the secondary must of reopened in the early 70s.

"Neil, if you are real and this is your real LinkedIn profile then I am so sorry. But if you’re so real then why did you copy someone else’s self-description?"

I would love to find out that the profile _is_ real, and that the JPMorgan dude is actually a fake profile for another scam (for trying to cheat people out of money), who stole this guy's self-description :P

The beautiful outcome being that he'd have publicly shamed and picked apart the guy's entire profile and foiled another scam in one hit :)

It's always nice to get a good healthy dose of paranoia in the morning. This makes me think back to how my sec professor had a separate system that he'd use to access his online banking.

To be honest, that's probably overboard. You're pretty much never liable for fraudulent fiat transactions. Crypto on the other hand...

Part of the fallout from fraud isn't being afraid of losing money. Banks and credit unions are generally on your side when it comes to disputing fraudulent charges. The hassle is getting it all sorted out - verifying identity with sometimes completely inept telephone reps, replacing cards, entering new payment information for recurring charges, etc.

On the other hand, there's also a cost to taking security measures. The time needed to maintain/switch to that separate system has a cost. There's a study[1] on this, but it's done with simple security measures with an unrealistically high probability of getting hacked.

[1] https://arxiv.org/abs/1805.06542

I've heard of at least one case where money was transferred out of someone's bank account through online banking and he was held liable. The user claimed fraud but since the intruder used his username and password the bank refused to refund the money claiming he had a responsibility to secure his username and password.

>since the intruder used his username and password the bank refused to refund the money claiming he had a responsibility to secure his username and password

what jurisdiction is this? this seems like the worse consumer protection law ever.

Especially if the password could only be 8 letters or something, like a lot of banks have to deal with old systems.

It was definitely the U.S. I want to say Maine, but my memory is fuzzy.

These days I'm doing something similar. Using only my iOS devices, and my Chromebook, for sensitive sites. On the Chromebook, I take it a step further by using the Android version of Firefox Focus. In theory, that gives me both the inherent security of Chrome OS, and security of the OS's Android container. Almost a poor man's version of Qubes OS in a way.

I'm not sure this is the best approach, and I'm becoming less comfortable with Google and Chrome OS on general principles, but I do feel more secure with iOS and Chrome OS than I do with general purpose computing devices.

I use a dedicated VM. It is only started when I need to do some banking, and can't talk to most of the internet.

I don't get it, shouldn't you use the VM for accessing everything except your bank?

If the host gets compromised from non-banking activity, it can just take over your VM.

Almost all of my activity on that machine is in one VM or another. I mostly only work on the host OS when I'm making a new VM.

My “solution” is that the VM is a different OS, amplifying the resources required to attack me beyond worth.

What kind of system?

A linux toaster

It toasted linux!? (I'm okay being downvoted a little for that...)


"toaster" is pretty common argot for "low-power computer"

After the Power Mac g4 cube came out, that form factor became a trend for a little while.


I immediately thought of this: https://www.embeddedarm.com/blog/netbsd-toaster-powered-by-t...

It's an actual toaster running NetBSD.

that seems kind of oxy-moronic? aren't toasters horribly energy hungry?

The comparison is in the computing power needed to control a toaster, not to toast the toast.

I would have defined toaster as "slow, horribly outdated computer". That also fits your toaster comparison since old computers are very energy hungry compared to similarly speced modern computers.

I have a white EeePC 901. While I was still using it as my carry-around laptop, it was called "Toastie", because it looked kind of like a sandwich toaster.

A case of "flattery will get you everywhere":

> I received a very flattering email from the University of Cambridge, asking me to judge the Adam Smith Prize for Economics ...

> I wouldn’t say I’m an “expert” in economics exactly, but the university’s request wasn’t that surprising. I do have a subscription to The Economist ...

> I’ve read a few books by Paul Krugman, but aside from that have never studied or practiced economics

Which, in my experience, is not a typical tactic employed by phishers. Usually it's greed (Here's $50 million for you) or alarm (You've been hacked!).

That's interesting - there is indeed a grh37 at Cambridge but he's an undergraduate studying Chemistry at Selwyn. No idea about how that happened, but there's been a bunch of really poorly written Emotet/Heodo spam emails floating around the email system the past few years. I'd guess that he managed to get his account compromised while logged into Windows on a UCS computer (which would be a feat in itself, given how poorly written the first stage dropper is), his UCS account got compromised, and someone uploaded the malicious website to his public_html folder.

EDIT: Apparently they've blocked new user signups for DS-Web, but this is kinda pointless given that every new student is automatically given their very own live website until they graduate.

This "spear" was also for a MacOS vulnerability. No doubt most Mac people think they're immune to viruses and malware, making this even more effective.

It is very well thought out attack.

A lot of recent high profile targeted hacks have been against macos (poker stars, Saudi activist, Chinese activists, ...).

Let's just agree that all platforms are vulnerable and anyone telling you otherwise should not be trusted.

All platforms are vulnerable; it does not follow that running commercial anti-malware products is good idea, or even likely to make you less vulnerable, on every platform, which is the usual context for "Macs and viruses" arguments.

I thought myself fairly well informed about macOS, having run it since the 10.1 days, administering it over the years, etc. But TIL that the quarantine bit and gatekeeper which normally prevent unauthorized executables from running is trivially bypassed, as was the case in this attack.

My paranoia level has increased.




I just checked my login items and found runChmm, adware that was apparently installed as part of an FTP client used at work. I was trying to replicate a scenario we see at work and got adware. Paranoia level increased indeed.

> gatekeeper ... is trivially bypassed

It's almost as if they waste a legit user's time, and developer's nominal fees on certs, notary, etc., for something that malware will not actually be subject to.

Maybe that's a little disingenuous as Apple can work to close gaps, holes and bugs.... But when it doesn't actually stop malware in the real world and honest people need to jump through hoops, the cynic's reading is easy to make.

Similar discussion to be had around DRM. (Punish legit users by default, and bad actors will still find a way.)

> But all it would have taken is for the attackers to add the 7 words “THIS PAGE MUST BE VIEWED IN FIREFOX” to the top of their page, and I’d have been toast.

Unless you were smart and ran the NoScript extension or something similar.

Landing into malicious pages happens; you're not going to avoid it with 100% accuracy and have to be prepared with some sort of countermeasure.

Note for the nitpicky, the attack discussed made use of not one, but two 0-days to accomplish the sandbox escape.


> The joke was at least partially on them, since I’ve never owned any cryptocurrency other than a handful of Stellars that I got for free and have lost the password for. If they or any other attackers can help me get them back then I would be very grateful.

This also happened to me - and after returning to the Stellar site years later, my old login did not work, and the page looked nothing like it used to. Were the free Stellar tokens ever really granted?

I presume that I can I take it from the lack of comment on the Firefox angle that there are no concerns that Firefox is inherently less secure than Chrome?

Chrome had a nasty one back in March, so your presumption seems correct.

Really, the best way to protect yourself is to use an obscure OS, or a separate machine for web browsing. Sounds paranoid, but the web is THE main attack vector these days.

There are disadvantages to using an obscure OS too, in that it is likely slower to get security fixes, and may have more security flaws.

The only logical answer is to write your own OS

The ultimate security by obscurity

You could use something like NixOS, which has interpreters, libc, etc. in non-canonical paths. And you still have the protections of Linux and speedy security updates.

Of course, this is security by obscurity, an attacker could adjust the malware for such cases.

Or disable JavaScript, which is the cause of most RCE exploits.

Do you mean whitelist JavasScript to known good sites?

HN is about the only site that I frequent that is usable without JS.

The progressive enhancement ship has sailed into abyss.

You could use Qubes OS[0] which will allow you to isolate different aspects of your computing into separate VMs easily.

[0] https://www.qubes-os.org/

Previous discussion about the zero-day itself: https://news.ycombinator.com/item?id=20233952

Browsers have zero-days sometimes; this is a valid question worth asking, but for now I wouldn't tell anyone to ditch Firefox over this, any more than I would tell someone to ditch MacOS over this.

How common are browser 0-days? It seems like everyone makes mistakes. Eg Chrome patched CVE-2019-5786 last month.

<soapbox> Every time I open the UI for the Ubiquiti UniFi console in Safari it complains that Safari may not work correctly and suggest Firefox or Chrome. Every time I curse at it, ignore it and have had no issues. The simplest way for me to not do want you ask is for you to tell me best viewed in X. If it does it working in Firefox, Safari, Chrome and Edge, then £#&$*=+&$% you. Do your job and test on the major platforms. My current company has a web UI and I make it a point when using the product to open it in a different major browsers each time I touch it. If there is an issue I file a Jira ASAP vs the UI team. </soapbox>

Okay I know this is about the Firefox security bug, but just a general rant anyways.

I suppose it's easy to "Monday Morning Quarterback" this one, especially after we now know it's a hoax, but honestly this is more fuel on the fire of: Never respond to random people on the internet asking you for information or to do something. Random people knocking on your door are almost always selling something, and random people contacting you over the Internet are almost always scammers.

The story could have ended at "I wouldn’t say I’m an “expert” in economics exactly". Then why are you going and doing what this rando is asking you to do? Deep six the E-mail and move on with your life.

That's just really not true. Especially not in a professional setting.

I deal with this personally all the time, as the founder of a national conference series. We reach out to people cold all the time and invite them to prominent speaking roles. Sometimes people are surprised to hear from us or don't think of themselves as public speakers but we're most certainly real and serious.

I get it the other way all the time now too, people reaching out wanting to partner, work together, have us write articles about them, whatever.

These are all super common use cases. There's a lot of business that gets started by an introduction from a random person on the internet.

As is true for most HN posts, I should have prefaced with “In most but not all cases...”

People who do not happen to be conference organizers or frequent recipients of legitimate cold calls should, in most cases, ignore unsolicited messages from strangers.

Or business development executives. Or freelancers. Or journalists. Or academics.

Or like anyone who has some level of networking as part of their job. Which is a lot of people.

The point being that most people need a better system than "ignore every email that you get from a new contact".

Yeah, so I have published a few journal articles. Nary a day goes by without receiving multiple emails begging for me to speak at a conference (invariably in China), or submit another article to their particular journal (that I have never heard of before). So, you can understand why cold introduction emails tend to get redirected to /dev/null.

One thing the article goes into is all the signs that the mail was fake. I think focusing on how one can spot such attacks is slightly silly for two reasons:

1. If these errors caused attacks to be unsuccessful then I expect (competent) attackers would stop making these mistakes

2. Plenty of real people make spelling errors or write single sentence paragraphs or even plagiarise things (or have their own descriptions plagiarised). Real people also host group things on personal sites. I think relying on this sort of thing is too likely to lead to false positives (and its a lot easier to spot the “signs” once one knows the email bad) and too unreliable in the long term for reason 1.

One thing I wonder is how this sort of thing might be prevented. It seems that once one’s pc is compromised there isn’t much one can do; newer security mechanisms like security keys don’t help much if the device is compromised. I don’t know how hardware bitcoin wallets (or similar devices) work so I can’t say whether they might have protected the targets of this attack, although I would guess they would not.

Sometimes I wonder if this is something there should be insurance for, but would anyone buy it? I think it would have to start as insurance for companies (which would require large numbers of companies to consider a breach like this a major financial risk) before people but such attacks would have to be unlikely enough to be successful for the insurance to be cheap. I suggest insurance with the vague hope that an insurer would want their customers to be more secure to decrease the chance they have to pay out. I don’t know if it would work that way in practice.

A hardware wallet is safe even if the computer is hostile. That's why they exist!

However it's possible that some other attack method could be used, e.g. compromising the user's email account and going from there.

I thought 0-day exploits could be sold for a significant amount if money. I wonder if the hackers bought one, or, found one and thought they could make more on their own than by selling it? And, if they did buy one, what was the return on their investment?

If the 0-day can be sold, then what do the purchasers do to recoup their investment? Aren't attacks like this one of the main reasons that a 0-day will have value? Even malicious state-level actors will likely use the purchased vuln in an attempt to gain access to a target system (potentially via similar spear-phishing methods); although in that case their motivation will be access to information rather than financial gain.

I may be making things up, but I remember reading the particular bug was reported by a white hat to Firefox’s internal bug tracker and somehow may have gotten leaked.

I think the real moral of this story is that (like the fun vulnerabilities on Flash and Java that we might remember), a combination of keylogger or strange daemon might be running suddendly on your machine, scanning your files, either on OSX or Windows. Simply visiting a website. So better (as said) is to use a separate VM to access trusted domains (and yes, also VMs aren't these days so trustable). Better to use 2FA and ciphering on-disk sensitive info and loose the habit (if any) of storing a large number of files that streams from locally mounted cloud accounts, like Google file stream, Onedrive files-on-demand and so on.

So better (as said) is to use a separate VM to access trusted domains (and yes, also VMs aren't these days so trustable).

I would use the VM for accessing untrusted domains. If an exploit has your host system, then it also has the trusted VM.

ciphering on-disk sensitive info

If an exploit has root-kitted your system, encryption does not help much. Presumably you have the unencrypted volume mounted, moreover, the attacker could log keystrokes.

If your machine is compromized, it is basically game over. Change all your bank accounts, e-mail, etc. credentials immediately, wipe the disk. By suspicious about any file the malware may have touched.

Systematic dropping of definite article makes me suspect the author may be a native speaker of some eastern language with limited knowledge of English.

It’s odd that they would have limited knowledge of English yet understand the prestige of Cambridge, be able to create genuine looking linkedin pages and target the attack so well. If you’re going to that much trouble running a spell checker over he email would seem like a reasonable step?

Most likely it’s a deliberate attempt to target people who are excited enough by the email to not notice the grammar.

Foreign language speakers aren't stupid. You can Google "famous school England" in any language.

There's no "second step" to this con. You don't have to get tricked into wiring them money. If you visit the page, you lose.

Exactly, they’re not stupid. So you’d expect them to use a spell checker if they intended for the attack to have a high success rate on English speakers.

There may have been a second step for the attackers goals after the zero day, e.g. ransomware or some other social engineering

A spell checker still doesn't detect faulty grammar.

A sufficiently good one does, grammarly being the most well-known example I'm aware of.

Funny that the browser that has been selling so much on privacy falls victim to such a vulnerability.

In any case, if a site says "this site must be viewed in Firefox" that would be a huge red flag, and all the more reason for me to leave. There aren't really any features in Firefox that other browsers don't have.

> Funny that the browser that has been selling so much on privacy falls victim to such a vulnerability.

All browsers fall to such vulnerabilities -- Chrome had one in March this year. The difference is that some browsers (again, Chrome) are malicious by design instead of only by accident.

>Funny that the browser that has been selling so much on privacy falls victim to such a vulnerability.

How so? Privacy is not inherently synonymous with security.

There are valid points about being tricked here, but it's all kind of irrelevant in the presence of a javascript 0-day. You don't actually have to trick anyone to use one of those; just make an interesting post on tumblr and away the hacks go. Trying to never get hit with a 0-day is a pipe dream.

The two questions that immediately jumped to my mind on this are

1) does Coinbase's user base skew more towards Firefox than the average, possibly because of perceived better security/privacy and a desire for that among cryptocurrency users?

2) did the zeroday impact Tor browser users, and does Coinbase have a lot of those?

I don't think Coinbase users are looking for security/privacy. To be specific, Coinbase is considered a novice cryptocurrency user platform since they have some relatively hefty fees in exchange for being simple to use AKA "It's for normies".

The original spearphishing targeted Coinbase employees, not their users. It seems once that failed, the people behind this cast a wider net.

Is it still spear-phishing when it's not a phishing attack but an 0day? Is there a better term?

AFAIK spear phishing refers to the fact that the attack is tailored/targeted, rather than mass mailings.

The "spear" means it's targeted, but it's still "phishing" - meaning the attack vector is a cloned version of a legit page

I guess this should be called spear-hacking?

This seems to fit the classic definition of spearphishing; the atack vector is an impersonated/fake version of a legit email and its sender. No matter if the payload is in the form of an attachment or web link or a request for some physical action (e.g. please scan and send a copy of your ID) that would fit the phishing title.

It doesn't really seem that targeted, just tailored. If they'd only emailed people who used crypto, that might be spear phishing.

Edit: nevermind, I didn't realize he worked on coinbase.

It's not clear from the article, since the author didn't (apparently) get successfully targeted, what the ultimate goal of the attack was or whether they were actually after something from a particular individual. However, it doesn't seem like a well-planned attack if that was the case.

Some kind of targeted honeypot perhaps? But that is inverted from its typical use.

Edit: Maybe a trojan honeypot but I'm literally just stringing words together here.

If you have a significant amount of cryptocurrency, get a hardware wallet.

I'm seriously thinking a dedicated Docker container just for reading email is a pretty good idea.

How would that help?

It would mean you need an additional vulnerability to escape the VM sandbox.

Yeah if you check email in a VM. But how would a Docker container help?

Maybe I'm using terms interchangeably when I shouldn't be (I haven't jumped on the containerization bandwagon), but a Docker container is still just a "VM light", right? Part of its purpose is to isolate the things running inside of it from anything else running on the system. I'm fairly certain my comment still stands if you just `s/VM/container`.


Docker isolation is for convenience not security isolation.

So did the attackers get control of a Cambridge e-mail account and web page?

That was probably the easiest part of their escapade, sadly — spoofing a WiFi access point with a fake portal comes to mind. Or posing as IT and mass-emailing the university directory (which are rather easy to scrape at most universities), keyloggers on lab computers, etc. Always possible that it could have been as simple as just asking!

Out of ~20,000 students and ~10,000 staff, they only needed to get lucky once, unfortunately.

How can I check if I am infected?

> Neil describes his pre-university education as “High School”. We don’t have “High School” in the UK - we call it “Secondary School”. This might make sense if Neil was American, or trying to communicate with an American audience, but there’s no indication that this is the case.

Many secondary schools in the UK still have "High School" in their name. I've always used the two terms interchangeably, but maybe that's because I went to "<TownName> High School", or maybe it's because I'm old.

This particular school (the Perse, in Cambridge) calls its secondary section the "Upper School". It's also quite expensive.

I don't understand the point of using compromised Cambridge accounts for this. All they wanted people to do was to just click on a link. They could have easily registered some legitimate sounding domain name and linked to that instead. It wouldn't be unusual at all for an academic organisation to have a separate site.

It is a prestigious domain - with a high recognition factor. And, as part of that, it will almost never be blocked by URL / DNS filters.

In this case, it clearly worked. The user saw cam.ac.uk and trusted it.

I wonder if the attackers were also thinking that these users would more likely be using macOS. The exploit they were using only works in Firefox on macOS.

_Any_ other domain, and I'm just going to ignore it. A legitimate *.ac.uk domain, and there's a good chance I will click it to find out what it is, even if I don't believe it. At that point, they've won (it's a 0-day).

Using a recognisable domain lets my guard down just enough ("there's no risk in going to a cam.ac.uk domain") for an attack like this to work.

A compromised Cambridge url gives a lot of credence to their claim though, especially with the paranoid coinbase developer they were targeting.

It also means the e-mail is significantly more likely to make it past a spam filter, even an aggressive one. There was very little in that e-mail any reasonable spam filter could possibly have flagged, unless they're going to start doing API calls to grammarly. But if they check spelling and grammar, filters will start flagging a lot more than spam.

.ac.uk emails get spam filtered pretty harshly.

My Alma Mater, The Norwegian University of Technology and Science in Trondheim, Norway had issues with student E-mails being spamhammered all over the world.

Why? All student accounts were hosted under stud.ntnu.no; presumably authors of spam filters made other associations when they saw the string 'stud' than it being short for 'student'.

Cough. Their practice of automagically generating user names based on parts of your first and last name in my time led to two users having (for a short time!) the addresses hung@stud.ntnu.no and pervo@stud.ntnu.no.

Their practice of automagically generating user names based on parts of your first and last name in my time led to two users having (for a short time!) the addresses hung@stud.ntnu.no and pervo@stud.ntnu.no.

Brenda Utthead feels their pain.

really? why?

Not sure but some guesses:

Traditionally students got a lot of leeway with running their own stuff maybe there have been a few doing not-good-things?

Lots of academics who don't take security seriously have had more admin access to live servers than they should and then stuff like the article happens?

It's the cyber-version of speaking with a British accent.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact