Broken Phishing scam targets several tech journalists

On Saturday, Salted Hash received a Phishing email from a PR contact (the second one this year) that was targeting corporate credentials. Unlike the previous Phishing email received from a professional contact, this one was poorly implemented and broken.

Around 1:00 p.m. EST on Saturday, an email from Andrew Buemi, the Director of Communications at ff Venture Capital, arrived in my inbox, directing me to accept a Google Docs invite. I later confirmed that several other journalists got the same message.

I admit to being confused by the invitation, because I’ve never worked with ff Venture Capital before.

Not to mention, no company looking to get media coverage has ever offered to let me edit their materials. I did some digging, and they’re a legit firm, but I still couldn’t understand why this invite was sent to me.

Intrigued, I decided to rundown the URL in the email. By all accounts it pointed to a legit Google Drive host, but something just felt off. As it turns out, my gut feeling was correct, because the URL quickly morphed itself into a poorly replicated Google login page.

The redirection was instant, so I used urlQuery.net to trace the address. The Google Drive host opened a bit.ly link, redirecting the visitor to the landing page. The redirection happens in less than a second, but the path is clearly defined by a few 301 and 302 requests in urlQuery.

The document referenced in the email is titled Investibot_10Payment_v16.

On the surface, the name suggests the contents of the document are related to a company’s finances somehow, and this lure is reinforced on the landing page, as the login block has been altered to state: “Financial Document included in this file, login with company account/password to view.”

But the landing page is where this scam falls to pieces. It’s a comical disaster. Riddled with errors, no sane person would believe they’re looking at a Google Docs login page at this point.

After some poking around, it turns out the criminal behind this scam compromised a personal domain, and used Adobe’s Dreamweaver to develop the page shown in the image on the left.

Dreamweaver was confirmed as the source when the dwsync.xml file was discovered. The file was pulling images from an FTP server on a domain linked to a number of Phishing and malware attacks since 2014.

I emailed Andrew Buemi to alert him to the situation. He responded almost instantly with an apology.

A day later he issued a statement, with a really classy offer.

“On Saturday, June 25 between 12:41 and 12:42pm ET, my email account credentials were compromised that triggered an email from me inviting you to a Google document. Please delete and DO NOT open the email or click on the link/provide your email credentials,” the statement said in part.

“We are offering three months of free monitoring for anyone using Google Apps who received the message and would like to enact further monitoring for their Google accounts, via GreatHorn, a cloud-based communications security platform. While this seems to have been the source of a common malware attack, security and safety is of the utmost importance to us and we too immediate steps to disable the email account and run security checks throughout ff Venture Capital’s other accounts and servers, which do not appear to have been affected.”

As far as I know, ff Venture Capital is the first company to offer this type of coverage for a situation like this. They’re the victim, and I don’t fault them in the slightest for the Phishing email. But this type of reaction was a solid move on their part.

The reality is, twice now I’ve gotten a Phishing email after a business contact was compromised, and twice now I’ve gotten lucky. I was able to spot the Phishing attack for what it was, because I followed my gut instinct that something wasn’t right.

At the same time, I work in an industry where Google Docs and email attachments are part of the job, so it’s entirely possible that I will eventually fall victim to a Phishing attack. The logic here is basic, even experts will get caught, because no one is immune.

The two attacks this year seem to be opportunistic, so what happens when someone takes their time and puts some effort into the operation? If you guessed anything other than complete success, you’re wrong. Situations like that worry me.

If I’m ever actually targeted by a criminal, I’ll never know until it’s too late and my systems are completely compromised.