Welcome to my online cyber thriller, The Phisherman. To learn more about the story and meet the three main characters, click HERE. If you'd prefer to start at Chapter 1, click HERE. To select another chapter, click HERE.
Alan expelled a massive sigh of relief as Nick Davies’ phone passed his new refuge. He watched it continue for the next few minutes until he knew he was safe.
For the time being. However, that was too close.
When Alan thought it through, he realised Davies must have been returning to the NCSC from Z’s last sanctuary. He nervously chuckled to himself.
Hah! I got out in the “nick” of time.
Alan knew how to confirm his suspicions. He connected to the phone he’d left behind via the encrypted comms software he installed on it.
At first, he was confused. The phone was where he hid it. Yet, when he checked the log, he saw someone woke it only a couple of hours before, less than an hour after he’d placed it there.
It amused Alan that Davies had tried to fool him by leaving the phone in its hiding place. However, that thought changed when he saw the photo it had secretly taken of whoever pressed the power button. It was evident from the intense yet beautiful face staring back at him that it was not Davies. It was far worse.
There was no mistaking who that was. He’d seen her face in too many media articles over the years: Alison Simpson. It confirmed his fears.
Little Miss Hacker is working with CIA Action Man.
Alan was unwilling to allow such a close call again. It was time for the unthinkable. He would utilise the fallback Abaddon taught lul to make in 2011. Back then, Alan had laughed. He never expected to use the physical escape plan he’d made when The Shadow was running amok and the world’s cyber authorities seemed powerless to stem the tide.
However, times had changed. The digital universe had become a minefield.
And I’m in a predicament not even Abaddon could have foreseen. Action Man’s physical prowess married with the cyberbitch’s digital skills leaves me with little choice.
He spent the next hour making the necessary arrangements online so he could depart that night.
Time is of the essence. My young housemates would have provided a sufficient description for GCHQ to issue sketches that might hinder my escape from London if I wait any longer.
The phone tracker revealed that Davies had remained stationary for the last half an hour. It looked like he was staying at one of the five-star hotels in Chelsea.
Hopefully, Action Man will remain there for the night.
Alan doubted Alison Simpson would do the same. He had no idea what she was doing.
What I do know is that she’s a cyber-bulldog. She won’t be spending the night doing a “Netflix and chill.”
Alan had an idea. There was no time to waste, and everything needed to run his way.
But you’ll never know if you don’t have a go.
After a quick check on the website of Davies’ hotel, Z messaged one of his cyber lads who’d been running a phishing campaign called Revenge Hotels since 2015.1 It didn’t take long to discover how to access that hotel’s WiFi network as an administrator, based on an exploit in the hotel’s unpatched WiFi access points.
still works? Z was relieved at the reply that arrived less than a minute later.
mastablasta used it 2 wknds ago 
Unexpectedly, Alan’s three roommates returned from their game at a nearby basketball court.
As the tallest one, a blond giant named Heinrich, swiftly changed out of his sweat-stained singlet and shorts, he mockingly stuttered in his strong German accent, “And what will you do tonight, old man? You staying in this little room to play with your computer boyfriend?”
Heinrich’s two friends laughed as they all changed into stone-washed jeans and bright-coloured polo shirts.
Alan merely turned his back and ignored their derisive chatter as they talked and laughed amongst themselves.
He didn’t have to wait long before they were primped and preened for a big night on the town. Their boisterous “see you in a day or so, old man” as they left meant no one would be the wiser to Alan’s departure until tomorrow afternoon at the earliest. He was alone again.
Other than the stench of those stupid Germans’ musk aftershave.
Alan confirmed Davies was still at his hotel, then bundled up his few belongings, ready to vacate his short-term lodgings. However, he needed one more thing: the silver key on Heinrich’s bedside table. It operated the German giant’s hybrid scooter. Alan was sure he would have at least twelve hours before the hungover young man realised it was missing. And based on Alan’s interactions with the three young backpackers, their stammering English, youthful arrogance, and limited intellect meant they would struggle to provide a helpful description of the thief.
Navigating the unobtrusive scooter to Davies’ hotel didn’t take long.
After securing a nearby park, Alan found his way inside the expensively decorated, intimate dining area on the ground floor.
Walking past the middle-aged pianist gently playing an Eagles’ tune in the background, Alan was rapt to see only four other diners – two couples with intense eyes fixed on their respective dinner partner. That made it easy to find a secluded table.
The last thing I need is Action Man walking past and noticing me because of my opened laptop.
Armed with the two young gamers’ description of their hacker housemate, the CIA agent might realise who Alan was. If he did, it was the end for the phisherman.
The stakes had never been higher. Unsurprisingly, Alan’s stomach churned violently. His forehead sweated openly. His hands trembled visibly with every key he pressed.
Yet, I’ve never felt so alive. If only Steve could see me now – he’d be prouder than that night we hacked the CIA.
After ordering the deluxe Angus burger from a server impeccably attired in a black dinner suit, Alan carefully placed his tiger box on the polished wooden table and booted it up to access the Kali VM.
Once logged in, it didn’t take Z long to hack the hotel’s WiFi.
Thankfully, the Revenge Hotels’ exploit still works.
He ran a passive stealth scan2 to locate any systems currently logged into the network and was rapt to see a laptop he suspected belonged to Davies within a minute, based on the poorly chosen name that stood out like a sore thumb.
Z ran a detailed scan on that specific system.
Within a minute, he knew it was Action Man’s, based on the response he received from various ports.
Woohoo, baby! Davies is online right now. Somehow, everything is going my way.
And I intend to run with it - time to up the ante.
Using a dummy email account3 he kept explicitly for such purposes, Z emailed the hotel, enquiring after a room. As expected, he received a reply within a few minutes. Z didn’t care about the response. All he needed was one of their emails to spoof.4
It only took Z another couple of minutes with the tools he regularly used to create his own email for Davies. It had the hotel’s header and footer, and included information about the hotel’s associated health services that he’d copied from the hotel’s website, though he added a photo of a young and exceptionally pretty redheaded masseuse with green eyes that sparkled and luscious red lips parted just enough to be inviting.
I’m sure she’ll suck Davies in.
Lastly, he added an attachment with a relevant map Z had downloaded from their website.
When Action Man opens my email, everything will look legit.
And it mostly would be. The only difference was that the map now included a zero-day exploit Z had recently tested for a cyber mate.
By the time Alan’s Angus burger arrived with a mountain of beer-battered wedges and aioli on the side, accompanied by the most divine aroma he’d smelled since his last trip into Soho, Z had sent the email to the address Davies used on the gambling site. That was the one rocky point Z had. He could only hope Davies had given that email address to the hotel instead of an Agency one.
Thankfully, a read receipt arrived five minutes later. Alan was only halfway through his small yet flavoursome burger before Action Man had taken Z’s bait … again.
The exploit Z used was different from the one he’d hooked Davies with the first time. It merely opened a port on Action Man’s computer, enabling anyone on the same network to access his laptop. It was like getting a homeowner to open a window and then walk away. That was why Alan needed to be on the same WiFi network as Davies. He needed to be in the same vicinity to “climb in the window.”
Z promptly connected to Davies’s computer via the newly-opened port.
Once in, he issued several text-based commands5 that would authorise him to remotely log into Action Man’s laptop whenever he wanted to, using the remote connection the CIA had approved for their own remote administration.
He also created and authorised a scheduled event that would send a small message via the email port to one of Alan’s dummy email accounts. The text-based email would report Action Man’s current location and network information at varying times once a day.
Alan hated rushing, but he had little choice. He had a big ride ahead on the scooter he’d stolen.
Having achieved his goals, he paid for his meal, left the restaurant and rode off into the night.
I hope you enjoyed the final chapter of Part B, The Phright. The next chapter starts Part C, The Phlight, where the chase begins in earnest to find the phisherman before he arms 831. Please click the heart-shaped LIKE button at the end of this chapter. If you’re a subscriber, thank you for your support. And if you have any suggestions to help make the story or this chapter better or you simply want to encourage me as a storyteller (either would be appreciated), please leave a comment.Revenge Hotels exists. Don’t believe me? Use a search engine to search for “revenge hotels.” Then be concerned about what you do next time you visit a hotel.
A stealth scan involves performing a “quiet” scan of a network or computer, so intrusion detection apps don’t realise the network or device is being probed to discover the best way to attack it.
Dummy email accounts are fake accounts everyone should have. Whenever a website requires you to create an account you don’t want to make, give them a dummy email address. It should be an email address you’ve set up, confirmed, and never need to access again. These can be great for most people. However, hackers love them more. The example I’ve provided in the story gives you a great idea of how they can be used for malicious purposes.
Spoofing refers to pretending to be someone else. For example, I could send an email from my computer but insert your email address into the email header before sending it. That would be me spoofing your email address. To understand more, check out spoofing [malwarebytes]
You’ve seen examples of this on most TV shows and movies that involve hackers and IT security geeks. Using a CLI (command line interpreter) requires you to know what commands exist + their options. That’s why people who use CLIs are often called power users. And that’s because text-based commands provide the ability to do things a mouse-driven user can’t even imagine.