I was recently targeted for a prank and have taken the unorthodox step of asking James Linton, the very person who was trying to prank me, to help write this blog.
Our joint aim is to lay bare the realities of email security and, given that a cyber attack looks exactly like a prank, use this unique opportunity to show an attack from both sides.
The National Cyber Security Centre is doing as much as possible to make real people’s lives easier and safer on the internet. Initiatives such as the Active Cyber Defence programme are blocking, disrupting and neutralising malicious cyber activity before it reaches users.
The blog concludes with some hard questions for the tech and security industry about the future of email security.
Ian - Last week, SINON_REBORN (aka James Linton) had a go at pranking me, like he’s done with lots of other – much more high profile and important – people. I was lucky enough to spot it and we both thought it’d be a unique opportunity to see an attack from both sides. After all, James’s prank emails are trying to achieve exactly the same end as spear-phishing emails perform as part of a cyber attack – get someone to trust something they really shouldn’t.
The point of telling this story is to get away from the abstract and show people what attacks really look like. I also want to be really clear: I was lucky. My ‘cyber skillz’ helped, but I could have just as easily fallen for this. Regardless of who you are, we’re all reduced to making informed guesses around email security, so people shouldn’t be pilloried when they make mistakes. Systems should not be designed to fail in the ‘one click and you’re pwnd’ manner we still see.
So, here’s the story from both sides.
James: Having already pranked lots of high profile people, I was more than a little curious about how a similar prank would fare against a British security person. So I did some initial web searches to establish who I would try and hoodwink. It really didn’t take long to establish that Ian could be an intriguing target, and his claimed technical knowledge in many ways made him the perfect arch-nemesis of a mischievous internet prankster.
Now I just needed my ‘character’ - which I quickly established in my usual way, by looking at the ‘about us’ or ‘directors’ page of the NCSC website. Paul Chichester seemed perfect for the role, so I copy and pasted both Ian and Paul’s name into a web search, and hit the news filter.
I was after something recent as a ‘hook’ to provide an innocuous topic of shared interest and an article about an NCSC Event was only days old and seemed to tick all the boxes. That was the hook sorted.
Next step was to create my new email address. I just opened my browser and went to mail.com to create my fake account. After double checking the spelling of Paul’s name, I filled in the few details required by mail.com and I was all set to go in less than a minute.
I also wanted an extra layer of credibility within my initial email, something that would help maintain ‘inbox hypnotism’ as I like to call it. We all have subconscious triggers that are engrained into us from years of email usage. As a prankster I have to keep these triggers at the very least in the neutral position, and ideally flick a few which positively reinforces the email’s validity, even if it’s not at a conscious level. To try and do this I created what looked like part of a forwarded internal message, using the name of somebody I had also found on the NCSC website earlier.
Now I was good to go. I hit send and crossed my fingers!
Ian - For me, this started when I got two emails apparently from Paul Chichester, the NCSC Director of Operations. I was on the Eurostar to Brussels to talk at a conference. Here’s what I saw on my phone.
As James says, this is a brilliant lure for most people – including me. My first thought was, ‘Chichester, you numpty, you’ve sent me the wrong mail!’ but then I wondered what he was trying to send to the other person, just in case I didn’t know about it. You feel a little bit naughty peeking into a conversation that wasn’t intended for you and I think that’s part of why this sort of thing disarms people. The inclusion of an apparent forward from Nicky Hudson, the NCSC’s awesome Director of Communications just adds to the interest – what was she planning for the NCSC to say publicly that I’d missed??
So, I think I’ll have a look at the article. I am stupidly geeky, so I usually inspect links before I follow them. Yes, it is, on average, a colossal waste of time so I don’t think everyone should do this. It’s easy to do on most devices today, though. On most touch devices you just touch-and-hold the link to see what’s really there. Understanding what shows up is a different problem!
Hmmm. That’s odd. That’s some sort of link protection for mail.com (but see what I mean about understanding what’s there?). We don’t use mail.com as our mail platform, so how has that been added if this is a real message from inside the NCSC?? Obviously, it hasn’t and this is what made me realise what was going on – although I didn’t know who was on the other end at that point. As I said, I was lucky. If I’d been tired or really busy (or there was alcohol involved), I may not have bothered checking.
The article this eventually ends up at is real, though, and it’s about an NCSC event we’re running for security researchers next year. James has already explained why he picked that and it worked brilliantly.
James - This is where I became the victim of a technical knock-out courtesy of Ian! I hadn’t realised mail.com would change what I thought was a pretty innocuous web address link, I also didn’t know you could view the link in such detail on an iPhone before choosing to visit the URL. Obviously, I was blissfully unaware that I’d not so much hit a trigger with Ian, but stood on the whole control panel. My ruse was rumbled.
Ian - So, where’s this message really from?
Now we can see it’s really a mail.com address, but even so, the address has almost all the right bits in it and if you were busy and reading it quickly you could be forgiven for missing the fact it’s not right. People very rarely look at the underlying address either – especially on a phone where screen real estate is at a premium. Now you can see how lucky I was!
James - I guess I’ve never been too concerned about the actual email address I create, although I do try and make it look believable to some extent if I suspect they are in any way technically savvy. In the past I have pranked people using email addresses with @emailprankster.co.uk, so I knew generally speaking they were hidden away due the increasing personalisation and simplification of mail app user interfaces.
Ian - I was intrigued, so I played along with the prank until it seemed like a good point to come clean. We proceeded to have a decent conversation over email which is where the idea for this blog came from.
There were a couple of other things in the message that could have given it away as well. The quote format where Nicky’s message was supposed to be forwarded wasn’t right, Nicky’s display name and email address in the quote weren’t consistent with how we do them in the NCSC and, possibly the most heinous thing, was calling Mr Chichester ‘Paul’. Apparently, his mum is the only one that ever does that. But, realistically, can we expect anyone to consistently spot this sort of thing when they’re busy? These sorts of errors are reinforcements when you’ve already decided it’s somehow wrong, rather than high quality indicators of badness.
James - I think I was probably rushing a little when I created the fake forward by Nicky within the email, given a little more planning I think I could have matched that better. I could probably even have managed to get hold of the rough footer format if I’d tried this with someone other than my main target prior to trying to engage Ian in conversation. Another little thing I did, was with each reply I made sure I went back to the previous message I’d sent within the thread and re-typed what I suspected was Paul’s real email address, replacing my fake one. This was just in case there was an unintended or intended scroll down the conversation to either check what had been said earlier, or out of suspicion. People seem to be good at picking out email addresses in quoted messages so inadvertently leaving a trial of mail.com giveaways was something I could correct easily. It also added to the validity of the thread if my purpose was to encourage Ian to share the link with others.
Ian - This was a prank, but an attacker trying to get me to install malware or disclose credentials through a spear-phishing attack would go through exactly the same thought process as James did. This is an example of why we say that the accepted wisdom around email security (don’t do something unless you trust the email) is a bit pointless when it comes to spear-phishing.
Whether or not you believe that James’s pranks are funny, they certainly help to highlight the poor state of email security. That’s why the NCSC is doing as much as possible to try to make real people’s lives easier and safer on the internet. Things like our Active Cyber Defence programme and some of the other work we’re doing should start to have an effect on the commodity nastiness on the internet. Then we can concentrate on the more pernicious stuff and help users – who are our first and best line of defence in all this – make better informed decisions. For example, is the user interface design right on most email clients? Look at those screenshots of what I saw on the train and you decide.
We also want the tech industry to help us work out what the future for email should look like – and make it much less dangerous for most people, most of the time.
Whatever that future is, it’s almost certain that at some point, someone in the NCSC will fall for a phishing attack – and it could easily be me (this isn’t a challenge, by the way!). They won’t be ashamed and we won’t blame them. We’re only human after all.