June 27, 2019 at 22:34I was seven words from becoming a victim of targeted phishing
- Transfer
Three weeks ago I received a very flattering letter from Cambridge University with a proposal to act as a judge at the Adam Smith Prize in Economics:
I would not call myself an “expert” in economics, but the university’s request did not seem unbelievable. I have a subscription to The Economist , and I understand - very rudely - how and why central banks set interest rates. I read Capital in the 21st Century and basically understood the essence of the first half. Several posts on my blog are tagged with "economy." Perhaps I can make some contribution to the new discipline of computing economics. On the whole, it seemed quite likely that the organizers of the Adam Smith Prize would want to hear my point. I assumed a lot of unpaid work, but still the offer was very pleasant.
However, deep down I felt that there was a certain misunderstanding. Suddenly, I was confused with Robert Heaton with some professor Hobert Riton from the University of California at San Diego, a specialist in the trading theory of Heckscher - Olin, who is patiently waiting for the opportunity to pursue a career through transatlantic cooperation. Nevertheless, I decided to pull on this thread and slightly tickle the fantasy.
Reflexively, I performed some basic security checks. The letter was sent from the address
If “Gregory” added only seven additional words to this page: “The page should be viewed in Mozilla Firefox browser” - I would definitely screw it up. But more on that later.
Then I went to the main page
I remember that the letter to Gregory seemed to me very short and poorly worded. I also thought that it would be nice for him to take a few lessons on how to effectively ask strangers on the Internet to do free work for him. He was lucky that I did not care about such trifles. He was also lucky that I didn’t care that he missed “the” in the sentence
At that time, I just thought that he was not a very good writer.
I sent Gregory a short answer, having previously expressed interest and asking for more information.
Gregory quickly answered - I was in business!
I began to feel like some kind of trickster. Poor Hobert Riton sits in his office in San Diego all alone and wonders why no one is inviting him to judge the contest. I decided to share my doubts with my new friend Gregory, not hiding doubts about my skills. If he still wants to take me to the competition, then this is not my fault.
However, Gregory agreed (faster than I hoped) that there might have been a mistake.
That was the last thing I heard from Gregory Harris. It seemed that the story was over.
But on Friday, a letter came from Coinbase:
If you think about it, it really made sense.
I almost fell prey to a technically advanced targeted phishing campaign. As far as I can understand (this was clearly not written anywhere, and I could well be mistaken), the attackers compromised the email accounts and web pages at Cambridge University, owned by two people named Gregory Harris and Neil Morris. They then used these accounts to conduct a phishing campaign to encourage each victim to visit one of the two compromised pages on
I carefree several times followed the link sent by Gregory Harris. Fortunately, I used Chrome, so the malicious JavaScript exploit did nothing. But if the attackers did a little and added only seven words at the beginning of the page “The page should be viewed in the Mozilla Firefox browser” - I would have been raped. I would laugh at the stupid web developers who have not yet implemented the basic cross-browser compatibility, and would smugly copy the link in Firefox. It is not even clear why the attackers did not. Perhaps they did not have full control over the content of the page or they tried to act as finely as possible.
Initially, attackers targeted employees at the Coinbase cryptocurrency exchange. But they soon expanded the campaign to a wider audience of people allegedly associated with cryptocurrency. They probably wanted to steal our sweet, untraceable pieces of blockchain. In any case, they were not lucky, because I never owned any cryptocurrency, except for a few stellars, which I received for free and forgot my password. If they or some other malefactors helped to return them, I would be very grateful.
Possessing two real profiles, a 0-day Firefox vulnerability and a list of email addresses of people associated with cryptocurrency (plus me), the attackers got to work. They ruthlessly exploited the slightly hyped conceit of innocent people in their abilities and importance - and infected a Trojan with everyone who opened the link in Firefox on MacOS. Firefox vulnerabilities are now fixed, and web pages from phishing emails are removed. But I would be surprised if at least a few people did not get on a couple of Satoshi or a billion.
Not sure what role Cambridge University plays in this story. I don’t know if “Gregory Harris” and “Neil Morris” are real people whose university accounts were compromised, or are these fake personalities created by those who compromised the entire university computing system, or I just don’t understand what happened. Just in case, I do not want to publicly poke my nose into the online life of Gregory or Neal, if these are real people, but I strongly suspect that these are still fake accounts. This is an absolutely unfounded assumption, as well as everything that follows, so if you work at Cambridge University, please do not send hate rays at me. Please tell us what really happened.
I could not find any sign of Gregory Harris or Neil Morris online except their alleged LinkedIn profiles. Once again, this is normal. Not everyone has Instagram or Star Wars fan fiction. However, Gregory Harris’s LinkedIn profile has recently been deleted - he still appears on Google search but isn’t available on LinkedIn. And while Neil Morris’s profile is still there, it’s probably a fake.
At first glance, Neal's profile looks reasonably reasonable.
But a quick Google search shows that the description is copied from another LinkedIn profile.
This is enough for me to confirm my suspicions. But if you look closer, we will find some more funny details:
Neil, if you exist and this is your real LinkedIn profile, then I'm sorry. But if you are such a real person, then why did you copy someone else's self-description?
I don’t think it was an oversight on my part to click on the link in the phishing email. An exploit for a 0-day browser vulnerability on a subdomain is
However, this episode left a feeling of incredible awkwardness. Although the story ends happily, I still fell for the hook of a phishing attack, and almost swallowed the bait. I was just lucky that the attack vector was 0-day for software that I don’t use, and not something more ordinary. If the exchange of letters continued a bit, I probably would have included macros for Microsoft Office documents sent by Gregory Harris, and could even run the program that he sent if he said that this was part of the registration process. As I already mentioned, I do not have cryptocurrency, but there is money in accounts in the Internet bank, which in general is desirable to keep.
I don’t know what the moral of this story is. Perhaps the main conclusion is that you should remain vigilant when communicating with strangers on the Internet, even if they have legitimate email addresses with valid DKIM signatures. In addition, it is very easy to overlook a large number of inconsistencies and oddities if you believe in someone else's story, especially if this story is pleasant to you. Looking back, it was completely absurd to believe that the University of Cambridge would invite me to judge an economic competition, and when I read the email from Gregory Harris, it’s immediately clear that this is not an online communications professional. But I did not think critically and was lulled by a false sense of security because of mail from the address
And the last moral. Think twice before modestly (and immodestly, too) telling others that you were invited to judge the Adam Smith Prize in Economics.
Dear Robert,
My name is Gregory Harris. I am one of the Adam Smith Prize Organizers.
Every year we update a team of independent experts to assess the quality of competing projects:http://people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize
Our colleagues recommended you as an experienced specialist in this field.
We need your help in evaluating several projects for the Adam Smith Award.
We are waiting for your reply.
Regards, Gregory Harris
I would not call myself an “expert” in economics, but the university’s request did not seem unbelievable. I have a subscription to The Economist , and I understand - very rudely - how and why central banks set interest rates. I read Capital in the 21st Century and basically understood the essence of the first half. Several posts on my blog are tagged with "economy." Perhaps I can make some contribution to the new discipline of computing economics. On the whole, it seemed quite likely that the organizers of the Adam Smith Prize would want to hear my point. I assumed a lot of unpaid work, but still the offer was very pleasant.
However, deep down I felt that there was a certain misunderstanding. Suddenly, I was confused with Robert Heaton with some professor Hobert Riton from the University of California at San Diego, a specialist in the trading theory of Heckscher - Olin, who is patiently waiting for the opportunity to pursue a career through transatlantic cooperation. Nevertheless, I decided to pull on this thread and slightly tickle the fantasy.
Reflexively, I performed some basic security checks. The letter was sent from the address
@cam.ac.uk. I mouse over the link in the letter - http://people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize. She pointed to the same URL as in the text, on a valid subdomaincam.ac.uk. It seemed a little strange to me that the page is placed in the personal directory grh327 instead of the page of the faculty of economics; but alright, it’s probably so less bureaucracy. I followed the link and read a little about the history of the Adam Smith Prize. If “Gregory” added only seven additional words to this page: “The page should be viewed in Mozilla Firefox browser” - I would definitely screw it up. But more on that later.
Then I went to the main page
cam.ac.ukand made sure that it was indeed the domain of Cambridge University. I quickly googled Gregory Harris of Cambridge, but found little. I vaguely remember some LinkedIn account. But this is normal, not everyone has a Twitter profile or culinary blog.I remember that the letter to Gregory seemed to me very short and poorly worded. I also thought that it would be nice for him to take a few lessons on how to effectively ask strangers on the Internet to do free work for him. He was lucky that I did not care about such trifles. He was also lucky that I didn’t care that he missed “the” in the sentence
We need your assistance in evaluating several projects for Adam Smith Prize. Apparently, I also did not care that he wrote “Organizers” with a capital letter and that he did not seem to understand that a paragraph could contain more than one sentence. At that time, I just thought that he was not a very good writer.
I sent Gregory a short answer, having previously expressed interest and asking for more information.
Hello Gregory,
Thank you for your letter. Of course I'm interested. Could you tell a little more about what is needed for this and who recommended me?
All the best Rob
Gregory quickly answered - I was in business!
Hello Rob,
Thanks for the quick reply.
Your candidacy was on the list of candidates we received from the University of California, San Francisco.
We will send you a description of several projects and a list of questions and criteria for their evaluation.
I think the plan will be ready by mid-June.
Best regards, Gregory
I began to feel like some kind of trickster. Poor Hobert Riton sits in his office in San Diego all alone and wonders why no one is inviting him to judge the contest. I decided to share my doubts with my new friend Gregory, not hiding doubts about my skills. If he still wants to take me to the competition, then this is not my fault.
Hello, Gregory,
I'm starting to think, suddenly there was some kind of confusion. I read several books by Paul Krugman, but I never studied or studied economics. I am a software engineer - this is my occupation and education (https://www.linkedin.com/in/robertjheaton/). What do you think about this? Is there another Robert Heaton in San Francisco who knows a little more about the economy?
Rob
However, Gregory agreed (faster than I hoped) that there might have been a mistake.
Hello Rob,
Yes, there may be a mistake. I will consult with colleagues and will contact you shortly.
Best regards, Gregory
That was the last thing I heard from Gregory Harris. It seemed that the story was over.
But on Friday, a letter came from Coinbase:
Hello, You
may have recently received an email from a person named Gregory Harris or Neil Morris, posing as the organizers of the University of Cambridge competition. These are fake profiles belonging to an advanced attacker who is trying to install malware on your computer ...
If you think about it, it really made sense.
I almost fell prey to a technically advanced targeted phishing campaign. As far as I can understand (this was clearly not written anywhere, and I could well be mistaken), the attackers compromised the email accounts and web pages at Cambridge University, owned by two people named Gregory Harris and Neil Morris. They then used these accounts to conduct a phishing campaign to encourage each victim to visit one of the two compromised pages on
http://people.ds.cam.ac.uk. If the victim used the Firefox browser, then the malicious Javascript on the page used the 0-day vulnerability in Firefox, which allowed the exploit to go beyond the sandbox in the browser and run malware directly in the operating system. I carefree several times followed the link sent by Gregory Harris. Fortunately, I used Chrome, so the malicious JavaScript exploit did nothing. But if the attackers did a little and added only seven words at the beginning of the page “The page should be viewed in the Mozilla Firefox browser” - I would have been raped. I would laugh at the stupid web developers who have not yet implemented the basic cross-browser compatibility, and would smugly copy the link in Firefox. It is not even clear why the attackers did not. Perhaps they did not have full control over the content of the page or they tried to act as finely as possible.
Initially, attackers targeted employees at the Coinbase cryptocurrency exchange. But they soon expanded the campaign to a wider audience of people allegedly associated with cryptocurrency. They probably wanted to steal our sweet, untraceable pieces of blockchain. In any case, they were not lucky, because I never owned any cryptocurrency, except for a few stellars, which I received for free and forgot my password. If they or some other malefactors helped to return them, I would be very grateful.
Possessing two real profiles, a 0-day Firefox vulnerability and a list of email addresses of people associated with cryptocurrency (plus me), the attackers got to work. They ruthlessly exploited the slightly hyped conceit of innocent people in their abilities and importance - and infected a Trojan with everyone who opened the link in Firefox on MacOS. Firefox vulnerabilities are now fixed, and web pages from phishing emails are removed. But I would be surprised if at least a few people did not get on a couple of Satoshi or a billion.
Not sure what role Cambridge University plays in this story. I don’t know if “Gregory Harris” and “Neil Morris” are real people whose university accounts were compromised, or are these fake personalities created by those who compromised the entire university computing system, or I just don’t understand what happened. Just in case, I do not want to publicly poke my nose into the online life of Gregory or Neal, if these are real people, but I strongly suspect that these are still fake accounts. This is an absolutely unfounded assumption, as well as everything that follows, so if you work at Cambridge University, please do not send hate rays at me. Please tell us what really happened.
I could not find any sign of Gregory Harris or Neil Morris online except their alleged LinkedIn profiles. Once again, this is normal. Not everyone has Instagram or Star Wars fan fiction. However, Gregory Harris’s LinkedIn profile has recently been deleted - he still appears on Google search but isn’t available on LinkedIn. And while Neil Morris’s profile is still there, it’s probably a fake.
At first glance, Neal's profile looks reasonably reasonable.
But a quick Google search shows that the description is copied from another LinkedIn profile.
This is enough for me to confirm my suspicions. But if you look closer, we will find some more funny details:
- Neal's description of his master's degree is a bit strange. He wrote “Five Courses and a Thesis,” but then lists only four courses.
- Neal spent seven years in high school. This is the standard in the UK. But his last two years, apparently, coincided with the first two years at the university. It does not make sense.
- Neal describes his pre-university education as “High School”. We have no “High School” in the UK - we call it “Secondary School”. It could make sense if Neil was an American or trying to communicate with an American audience, but there is no sign of this.
- LinkedIn profile photo. - Stock Photo Cambridge University. At first I did not pay attention, but in the light of the foregoing, this seems a little strange. Does he really love his university so much that he uses his photo in his professional profile? Not even a photograph of an office, but a university? It’s more likely that someone is trying to make a fake profile that tells the casual reader: “I work at Cambridge University, there’s nothing to watch.”
Neil, if you exist and this is your real LinkedIn profile, then I'm sorry. But if you are such a real person, then why did you copy someone else's self-description?
I don’t think it was an oversight on my part to click on the link in the phishing email. An exploit for a 0-day browser vulnerability on a subdomain is
cam.ac.uknot part of my personal threat model, and I think this is reasonable. Security should be balanced with pragmatism. It is not possible to sign anything in the world with a GPG signature on a trust network that leads to Bruce Schneier. However, my twitter is already ready for galling criticism of this statement, in private messages.However, this episode left a feeling of incredible awkwardness. Although the story ends happily, I still fell for the hook of a phishing attack, and almost swallowed the bait. I was just lucky that the attack vector was 0-day for software that I don’t use, and not something more ordinary. If the exchange of letters continued a bit, I probably would have included macros for Microsoft Office documents sent by Gregory Harris, and could even run the program that he sent if he said that this was part of the registration process. As I already mentioned, I do not have cryptocurrency, but there is money in accounts in the Internet bank, which in general is desirable to keep.
I don’t know what the moral of this story is. Perhaps the main conclusion is that you should remain vigilant when communicating with strangers on the Internet, even if they have legitimate email addresses with valid DKIM signatures. In addition, it is very easy to overlook a large number of inconsistencies and oddities if you believe in someone else's story, especially if this story is pleasant to you. Looking back, it was completely absurd to believe that the University of Cambridge would invite me to judge an economic competition, and when I read the email from Gregory Harris, it’s immediately clear that this is not an online communications professional. But I did not think critically and was lulled by a false sense of security because of mail from the address
@cam.ac.ukand my own ego.And the last moral. Think twice before modestly (and immodestly, too) telling others that you were invited to judge the Adam Smith Prize in Economics.