I was seven words from being targeted for phishing.
Three weeks ago, I received a very complimentary letter from the University of Cambridge proposing to judge the Adam Smith Prize in Economics:
I would not call myself an “expert” in economics, but the university's request did not seem incredible. I have a subscription to The Economist , and I understand - very roughly - how and why central banks set interest rates. I read Capital in the Twenty-First Century and basically understood the essence of the first half. A few posts on my blog are tagged "economy". Perhaps I can make some contribution to the new discipline of computational economics. In general, it seemed likely that the organizers of the Adam Smith Award would want to hear my point. I assumed a lot of unpaid work, but all the same the offer was very pleasant.
However, in my heart I felt that there was some misunderstanding. Suddenly, I - Robert Heaton - was confused with some Professor Höbert Riton from the University of California at San Diego, a specialist in trading theory of Heckscher - Olin, who is patiently waiting for an opportunity to continue his career through transatlantic cooperation. Nevertheless, I decided to pull this thread and tickle a little fantasy.
Reflexively, I did some basic security checks. An email was sent from
If Gregory had added just seven additional words to this page: “The page should be viewed in the Mozilla Firefox browser” - I would have screwed up. But more about that later.
Then I went to the
I remember that Gregory’s letter seemed to me very short and poorly worded. I also thought that it would be nice for him to take a few lessons on how to effectively ask strangers on the Internet to do free work for him. He was lucky that I did not care about such trifles. He was also lucky that I didn’t care that he missed the “the” in the proposal
At that time I just thought he was not a very good writer.
I sent Gregory a short reply, after expressing an interest and asking for additional information.
Gregory quickly answered - I was in business!
I began to feel like some kind of deceiver. Poor Hobert Rhyton is sitting in his office in San Diego all alone and wonders why no one invites him to judge the competition. I decided to share my doubts with my new friend Gregory, without hiding doubts in my skills. If he still wants to take me to the competition, it is not my fault.
However, Gregory agreed (faster than I hoped) that an error may have occurred.
That was the last thing I heard from Gregory Harris. It seemed that the story was over.
But on Friday, a letter came from Coinbase:
If you think, it really made sense.
I almost fell victim to a technically advanced targeted phishing campaign. As far as I can understand (this was clearly not written anywhere, and I could well be mistaken), the attackers compromised email and web page accounts at the University of Cambridge owned by two people named “Gregory Harris” and “Neil Morris”. They then used these accounts to conduct a phishing campaign in order to push each victim to visit one of the two compromised pages located at
I carelessly followed the link that Gregory Harris sent several times. Fortunately, I used Chrome, so the intruder javascript exploit did nothing. But if the attackers had made a little and added just seven words at the beginning of the page, “The page should be viewed in Mozilla Firefox browser” - I would be fucked. I would have laughed at the clumsiness of web developers who have not yet implemented basic cross-browser compatibility, and would have smugly copied the link in Firefox. Even it is not clear why the attackers did not do that. Perhaps they did not have full control over the content of the page or they tried to act as subtly as possible.
Initially, the attackers aimed at employees of the Coinbase cryptocurrency exchange. But soon they expanded the campaign to a wider audience of people allegedly associated with cryptocurrency. They probably wanted to kidnap our sweet untraceable pieces of the blockchain. In any case, they were not lucky, because I never owned any cryptocurrency, except for a few stellars, which I received for free and forgot my password. If they or any other attackers would help to return them, I would be very grateful.
Possessing two real profiles, a 0-day Firefox vulnerability and a list of email addresses of people associated with cryptocurrency (plus me), the attackers set to work. They mercilessly exploited the slightly inflated self-conceit of innocent people in their abilities and importance - and infected everyone who opened a Firefox link on MacOS with a Trojan. Firefox vulnerabilities are now fixed, and web pages from phishing emails have been removed. But I would be surprised if at least a few people missed a couple of Satoshi or a billion.
Not sure what role Cambridge University plays in this story. I don’t know if Gregory Harris and Neil Morris are real people whose university accounts have been compromised, or are they fake personalities created by those who have compromised the entire university computing system, or I just don’t understand what happened. Just in case, I don’t want to publicly pry into Gregory or Neela’s online life if these are real people, but I strongly suspect that these are still fake accounts. This is an absolutely groundless assumption, as well as everything that follows, so if you work at the University of Cambridge, please do not send hate rays to me. Please tell us what really happened.
I could not find any traces of Gregory Harris or Neil Morris online other than their intended LinkedIn profiles. Once again, this is normal. Not everyone keeps Instagram or writes Star Wars fan fiction. However, Gregory Harris’s LinkedIn profile has been recently removed — it still appears in Google search, but is not available on LinkedIn. And although the profile of Neal Morris is still there, it is probably a fake.
At first glance, the profile of the Nile looks quite reasonable.
But a quick Google search shows that the description is copied from another LinkedIn profile.
For me, this is enough to confirm the suspicions. But if you look closer, we'll find some more fun details:
Neil, if you exist and this is your real LinkedIn profile, then I apologize. But if you are such a real person, then why did you copy someone else’s self-description?
I don’t think that it was a mistake on my part to click on a link in a phishing email. The exploit for the 0-day browser vulnerability on the
However, this episode left a feeling of incredible awkwardness. Although the story ends safely, I still hooked on a phishing attack, and almost swallowed the bait. I was just lucky that the attack vector was 0-day for software that I do not use, and not something more mediocre. If the exchange of letters continued a bit, I would probably include macros for the Microsoft Office documents that Gregory Harris sent, and could even run the program that he sent if he said that this is part of the registration process. As I already mentioned, I do not have cryptocurrencies, but there is money in the accounts in the Internet bank, which is generally desirable to keep.
I do not know what is the moral of this story. Perhaps the main conclusion is that one should remain vigilant when communicating with strangers on the Internet, even if they have legitimate email addresses with valid DKIM signatures. In addition, it is very easy to overlook a large number of inconsistencies and oddities if you believe in someone’s story, especially if you enjoy this story. Looking back, it was completely absurd to believe that the University of Cambridge would invite me to judge the economic competition, and reading Gregory Harris e-mail, it is immediately apparent that this is not an online communications professional. But I did not think critically and was lulled by a false sense of security because of the mail from
And the last moral. Think twice before modestly (and immodestly too) tell others that you have been invited to judge the Adam Smith Award in Economics.
Dear Robert,
My name is Gregory Harris. I am one of the Adam Smith Award Organizers.
')
Every year we update a team of independent experts to assess the quality of competing projects:http://people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize
Our colleagues recommended you as an experienced specialist in this field.
We need your help in evaluating multiple projects for the Adam Smith Award.
Waiting for your answer.
Regards, Gregory Harris
I would not call myself an “expert” in economics, but the university's request did not seem incredible. I have a subscription to The Economist , and I understand - very roughly - how and why central banks set interest rates. I read Capital in the Twenty-First Century and basically understood the essence of the first half. A few posts on my blog are tagged "economy". Perhaps I can make some contribution to the new discipline of computational economics. In general, it seemed likely that the organizers of the Adam Smith Award would want to hear my point. I assumed a lot of unpaid work, but all the same the offer was very pleasant.
However, in my heart I felt that there was some misunderstanding. Suddenly, I - Robert Heaton - was confused with some Professor Höbert Riton from the University of California at San Diego, a specialist in trading theory of Heckscher - Olin, who is patiently waiting for an opportunity to continue his career through transatlantic cooperation. Nevertheless, I decided to pull this thread and tickle a little fantasy.
Reflexively, I did some basic security checks. An email was sent from
@cam.ac.uk I hover the mouse over the link in the letter - http://people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize . She pointed to the same URL as in the text, on the valid cam.ac.uk subdomain. It seemed to me a bit strange that the page was placed in the personal directory grh327 instead of the page of the Faculty of Economics; but okay, so probably less of a bureaucracy. I followed the link and read a little about the history of the Adam Smith Prize.If Gregory had added just seven additional words to this page: “The page should be viewed in the Mozilla Firefox browser” - I would have screwed up. But more about that later.
Then I went to the
cam.ac.uk main page and made sure that this is really the domain of the University of Cambridge. I quickly googled "Gregory Harris from Cambridge," but found little. I vaguely remember some LinkedIn account. But this is normal, not everyone has a Twitter profile or a culinary blog.I remember that Gregory’s letter seemed to me very short and poorly worded. I also thought that it would be nice for him to take a few lessons on how to effectively ask strangers on the Internet to do free work for him. He was lucky that I did not care about such trifles. He was also lucky that I didn’t care that he missed the “the” in the proposal
We need your assistance in evaluating several projects for Adam Smith Prize . Apparently, I also did not care that he wrote “Organizers” with a capital letter and that he did not seem to understand that a paragraph may contain more than one sentence.At that time I just thought he was not a very good writer.
I sent Gregory a short reply, after expressing an interest and asking for additional information.
Hello Gregory,
Thanks for your letter. Of course, I'm interested. Could you tell us a little more about what you need and who recommended me for this?
All the best, Rob.
Gregory quickly answered - I was in business!
Hello Rob,
Thanks for the quick response.
Your candidature was on the list of candidates we received from the University of California at San Francisco.
We will send you a description of several projects and a list of questions and criteria for their evaluation.
I think the plan will be ready by mid-June.
Best regards, Gregory
I began to feel like some kind of deceiver. Poor Hobert Rhyton is sitting in his office in San Diego all alone and wonders why no one invites him to judge the competition. I decided to share my doubts with my new friend Gregory, without hiding doubts in my skills. If he still wants to take me to the competition, it is not my fault.
Hello Gregory,
I begin to think, suddenly there was some confusion. I have read several books by Paul Krugman, but I have never studied or studied economics. I am a software engineer - this is my occupation and education (https://www.linkedin.com/in/robertjheaton/). What do you think about this? Maybe there is another Robert Heaton in San Francisco who knows a little more about economics?
Rob
However, Gregory agreed (faster than I hoped) that an error may have occurred.
Hello Rob,
Yes, there may be a mistake. I will consult with my colleagues and will contact you shortly.
Best regards, Gregory
That was the last thing I heard from Gregory Harris. It seemed that the story was over.
But on Friday, a letter came from Coinbase:
Hello,
You may have recently received an e-mail from a man named Gregory Harris or Neil Morris, posing as the organizers of the University of Cambridge contest. These are fake profiles belonging to an advanced attacker who is trying to install malware on your computer ...
If you think, it really made sense.
I almost fell victim to a technically advanced targeted phishing campaign. As far as I can understand (this was clearly not written anywhere, and I could well be mistaken), the attackers compromised email and web page accounts at the University of Cambridge owned by two people named “Gregory Harris” and “Neil Morris”. They then used these accounts to conduct a phishing campaign in order to push each victim to visit one of the two compromised pages located at
http://people.ds.cam.ac.uk . If the victim used the Firefox browser, then the malicious Javascript on the page used a 0-day vulnerability in Firefox , which allowed the exploit to go beyond the sandbox in the browser and run the malware directly in the operating system.I carelessly followed the link that Gregory Harris sent several times. Fortunately, I used Chrome, so the intruder javascript exploit did nothing. But if the attackers had made a little and added just seven words at the beginning of the page, “The page should be viewed in Mozilla Firefox browser” - I would be fucked. I would have laughed at the clumsiness of web developers who have not yet implemented basic cross-browser compatibility, and would have smugly copied the link in Firefox. Even it is not clear why the attackers did not do that. Perhaps they did not have full control over the content of the page or they tried to act as subtly as possible.
Initially, the attackers aimed at employees of the Coinbase cryptocurrency exchange. But soon they expanded the campaign to a wider audience of people allegedly associated with cryptocurrency. They probably wanted to kidnap our sweet untraceable pieces of the blockchain. In any case, they were not lucky, because I never owned any cryptocurrency, except for a few stellars, which I received for free and forgot my password. If they or any other attackers would help to return them, I would be very grateful.
Possessing two real profiles, a 0-day Firefox vulnerability and a list of email addresses of people associated with cryptocurrency (plus me), the attackers set to work. They mercilessly exploited the slightly inflated self-conceit of innocent people in their abilities and importance - and infected everyone who opened a Firefox link on MacOS with a Trojan. Firefox vulnerabilities are now fixed, and web pages from phishing emails have been removed. But I would be surprised if at least a few people missed a couple of Satoshi or a billion.
Not sure what role Cambridge University plays in this story. I don’t know if Gregory Harris and Neil Morris are real people whose university accounts have been compromised, or are they fake personalities created by those who have compromised the entire university computing system, or I just don’t understand what happened. Just in case, I don’t want to publicly pry into Gregory or Neela’s online life if these are real people, but I strongly suspect that these are still fake accounts. This is an absolutely groundless assumption, as well as everything that follows, so if you work at the University of Cambridge, please do not send hate rays to me. Please tell us what really happened.
I could not find any traces of Gregory Harris or Neil Morris online other than their intended LinkedIn profiles. Once again, this is normal. Not everyone keeps Instagram or writes Star Wars fan fiction. However, Gregory Harris’s LinkedIn profile has been recently removed — it still appears in Google search, but is not available on LinkedIn. And although the profile of Neal Morris is still there, it is probably a fake.
At first glance, the profile of the Nile looks quite reasonable.
But a quick Google search shows that the description is copied from another LinkedIn profile.
For me, this is enough to confirm the suspicions. But if you look closer, we'll find some more fun details:
- Neal's description of his master's degree is a bit strange. He wrote “five courses and dissertation,” but then lists only four courses.
- Neil spent seven years in high school. This is the UK standard. But his last two years, apparently, coincided with the first two years at the university. This makes no sense.
- Neil describes his pre-university education as “High School”. We don't have “High School” in the UK - we call it “Secondary School”. This could make sense if Neal was an American or tried to communicate with an American audience, but there is no sign of it.
- Picture of his LinkedIn profile. - Stock Photo Cambridge University. At first I did not pay attention, but in the light of the foregoing, this seems a bit strange. Does he really love his university so much that he uses his photo in his professional profile? Not even a photo of the office, and the university? It is more likely that someone is trying to make a fake profile that tells the casual reader: “I work at the University of Cambridge, there’s nothing to watch.”
Neil, if you exist and this is your real LinkedIn profile, then I apologize. But if you are such a real person, then why did you copy someone else’s self-description?
I don’t think that it was a mistake on my part to click on a link in a phishing email. The exploit for the 0-day browser vulnerability on the
cam.ac.uk subdomain cam.ac.uk not part of my personal threat model, and I think this is reasonable. Security should be balanced with pragmatism. It’s impossible to sign everything in the world with a GPG signature on the trust network that leads to Bruce Schneier. However, my twitter is already ready for the bilious criticism of this statement, in personal messages.However, this episode left a feeling of incredible awkwardness. Although the story ends safely, I still hooked on a phishing attack, and almost swallowed the bait. I was just lucky that the attack vector was 0-day for software that I do not use, and not something more mediocre. If the exchange of letters continued a bit, I would probably include macros for the Microsoft Office documents that Gregory Harris sent, and could even run the program that he sent if he said that this is part of the registration process. As I already mentioned, I do not have cryptocurrencies, but there is money in the accounts in the Internet bank, which is generally desirable to keep.
I do not know what is the moral of this story. Perhaps the main conclusion is that one should remain vigilant when communicating with strangers on the Internet, even if they have legitimate email addresses with valid DKIM signatures. In addition, it is very easy to overlook a large number of inconsistencies and oddities if you believe in someone’s story, especially if you enjoy this story. Looking back, it was completely absurd to believe that the University of Cambridge would invite me to judge the economic competition, and reading Gregory Harris e-mail, it is immediately apparent that this is not an online communications professional. But I did not think critically and was lulled by a false sense of security because of the mail from
@cam.ac.uk and my own ego.And the last moral. Think twice before modestly (and immodestly too) tell others that you have been invited to judge the Adam Smith Award in Economics.
Source: https://habr.com/ru/post/457990/
All Articles