If Scott Morrison emails you, check the header
Cyber criminals know how easily you can be tricked.
Easily manipulated online personas have blurred the line between reality and confection, James Linton admits – but he’s unrepentant about an email manipulation prank in which he temporarily “became” Donald Trump Jr, Hugh Jackman, several Trump administration officials, Kevin Spacey, and even Harvey Weinstein.
For five months in 2016 and 2017, Linton – basking in the anonymity of a Twitter account called SINON_REBORN – created lookalike email accounts and blind-emailed high-profile individuals in the political, financial, and entertainment industries.
He never expected that his first ruse – writing conservative identity Ann Coulter posing as Donald Trump-allied former Sheriff David Clarke – would work so well.
But Coulter responded to Clarke’s “request” to review an article on immigration with a genuineness that told Linton he was onto something.
“I didn’t expect it to be quite so easy, but I just rode my curiosity and didn’t think too much about it,” he told Information Age.
Within weeks, he was juggling 150 email accounts and trying, with some success, to ensnare high-profile targets in all manner of casual interactions.
Posing as Barclays chairman John McFarlane got him an answer from CEO Jes Staley within half an hour, while Linton emulated former chief of staff Reince Priebus to troll Anthony Scaramucci in the days after volatile internecine conflict got Scaramucci fired after just 10 days.
The surprisingly effective campaign kept Linton busy – and eventually got the 39-year-old fired from the Manchester advertising firm where he was working in an “unfulfilling” career.
“I honestly was very ignorant about all things cyber,” he confessed, noting that he “didn’t have a long-term plan with it. But I was on a slightly personal journey of feeling a bit frustrated at the time.”
Hiding the important details
That frustration led Linton – who now works as a threat researcher within the Agari Cyber Intelligence Division (ACID) – to discover the surprisingly easy methods for manipulating the appearance of emails, whose security has largely gone unchanged for many years.
Simplified user interfaces were hiding many of the details that his ‘victims’ might have used to spot the ruse: “designers had been putting the more-technical data towards the background,” he explained, “behind dropdowns or just not there at all.”
“In doing that, I came to the conclusion that besides the name on top of the email, and the content of the message, there really wasn’t any other way to identify who was sending it.”
“If you could match the tone of voice of the written word, you could possibly pass yourself off as someone else. It’s no accident that the majority of fraudulent emails from cybercriminals use the same tactic.”
Deceptive phishing emails have become the leading vector for spreading malware, with targets tricked into opening an email attachment allegedly from a known and trusted contact – whose details have actually been plucked from the victim’s contact list.
Other scams involve spoofed reply-to address, spoofed sender address, spoofed name, or using a lookalike domain that seems correct to the recipient but is actually owned by the scammer.
Recent scams have emulated organisations – Australia Post and the Australian Taxation Office are perennial favourites – so frequently that a recent Norton survey found 42 per cent of respondents said they had received such scam attempts.
High-profile individuals were particularly vulnerable, with the recent Proofpoint Human Factor Report 2019 warning that cybercriminals were favouring ‘Very Attacked People’ whose email accounts and online identities could be easily located with a Google search.
Businesses not responding well
Recent ACCC figures suggested that scams had already taken over $16m from Australians this year, while a Melbourne woman was this month arrested for a $10m superannuation scam and a British CEO bilked out of more than $350,000 by scammers using an AI-generated spoken voice over the phone.
“We are seeing organisations on a monthly basis share pretty terrible circumstances as to why transactions have been made,” said Dane Meah, CEO of security firm InfoTrust, which sponsored Linton’s recent speaking tour of Australia.
“In a moment of weakness, a well-crafted email is really believable. It’s real panic stations, people are losing their jobs – and it has a real impact on people’s lives and a flow-on impact on those people.”
Linton’s pranking spree caused a few red faces but no harm was done, and he is now working as a speaker and consultant to highlight the ongoing risks of email attacks and human susceptibility – which, Proofpoint noted, is responsible for 99 per cent of successful compromises.
The whole experience has shown Linton, and those he now speaks with and presents to, how important – and increasingly difficult – it is to be sure about whom you are engaging with online.
“Part of me is wondering what is going to happen,” Linton says. “Is all proof and believability going to be eradicated entirely because we have flipped that on its head – and anything you watch on a screen could hypothetically be created artificially?”
“If you start doing that to leaders of nations, it really does become quite a worrying trend,” he says. “Faith in what you see and read is going to be a huge thing, and I think there will be a battle to retain that integrity.”