36 - The 'mwah' of death
Griffith - 7:30 pm Friday AEDT
Welcome to my online cyber thriller, The Phisherman. To learn more about the story and meet the three main characters, click HERE. If you'd prefer to start at Chapter 1, click HERE. To select another chapter, click HERE.
This chapter shows you how social engineering attacks work. The hack described in this chapter is known as spear phishing because the hacker is hunting a specific target. As you'll see, spear phishers commonly use social media sites as their primary source of information when pursuing a unique phish. And they don’t need their target to have an account – a spouse, sibling or sidekick with poor security settings is ideal … just like Jenny Wong in this chapter. For more information on how to avoid being speared, check out spear-phishing [Kaspersky].Z spent the next fifteen minutes exploring the three most prominent social media platforms, looking for everything he could about his target: Lucy Davies.
I hoped Action Man’s sister might be on one of them. She wasn’t – she was on all three.
And Z was surprised to discover that all three accounts were in her real name.
Big brother should’ve taught you better than that, moron.
Z was sure Davies would have taught his sibling to show some wisdom regarding what she reported about her personal life online and how to configure appropriate security settings. He expected that various social engineering techniques would be required to milk the necessary information from her.
Yet again, he was pleasantly surprised.
I can’t believe the clueless bitch has her accounts configured as public. I won’t even have to trick her into handing over the data I want – she’s told everyone: “Come and hack me, boys.”
Once Z had the email address of Davies’ sister and sufficient information about her closest friend Jenny Wong, he went to work.
He laughed as ”Jenny” by Nothing More started playing on his metal radio, though he had no idea about the song’s significance.1
It didn’t take him long to crack the password for Wong’s webmail account.
Like most digital lemmings, she thinks no one will bother hacking her, so she uses a minimal password. And the never ending posts about her little Pomeranian called Winston made it too easy to guess.
He was rapt Wong hadn’t configured Two Factor Authentication2 on her webmail account. All Z needed to control her email was her password.
Once he owned Wong’s webmail via a proxy that concealed his location, it was easy to find some correspondence between Jenny Wong and Davies’ sister. That would be the basis for the message Z sent from Wong’s account.
And coming from Davies’ best friend, it’s guaranteed to bypass any spam filters and land in my foolish target’s inbox. She’s sure to read it as soon as she sees it.
The email had to get Lucy Davies’ attention from the first sentence.
Accordingly, Z used the same opening Wong had sent in an earlier email.
Hey hon and tgi friyay
He added a short comment about a party both girls attended the previous weekend. From the photos plastered across their socials, they’d enjoyed a wild night out.
Though I’m sure they have no idea what real music is. From the look of their skanky dresses and painted faces, I’m sure they were teasing whoever they could as they jiggled their titties and wiggled their asses to that techno crap nightclubs play.
Thankfully, Wong had written about a similar night in a message she’d sent a year ago. That made it easy to devise wording that would convince Action Man’s sister that the rest of the email was from her best friend.
The next part was the most difficult. He needed Lucy Davies to believe the message was from Wong so she would perform the action that mattered most – open the attached file.
That’s when the real fun begins.
He spent almost half an hour agonising over the phrasing as he constantly referred to past emails Wong had sent to Lucy Davies. Finally, Z was sure his message sounded Jenny-Wong-ish enough to dupe her closest friend.
I also need to ask you something about your brother Nick. Do you know if he works for the CIA? If he doesn’t then its ok. If he does then you need to look at the file I attached. It was sent to me by a reporter investigating a secret team in the CIA. She says Nick is part of it. That’s how she found all this stuff about him. And if its true, its not good hon. The file shows a list of stuff hes done and some of its really bad. I hope its not true. If it is, know im here for you.
He signed off with Wong’s standard email signature:
luv to you with a jenny mwah
The coup de grâce3 was the document he crafted using the same exploit Z had phished Nick with. He included a list of Nick’s gambling sessions he’d copied from the gambling VM he hacked a few days ago, then finished with a few photos courtesy of his contacts in Griffith.
Once Action Man’s sister sees them, she’ll have to contact Nick.
He reread the message before sending it.
It’s perfect.
After clicking “send,” he waited like one of those Australian saltwater crocodiles he admired, submerged in muddy water so the prey didn’t know it was poised to strike until it was too late.
He knew Lucy Davies would take the bait.
All he needed to do was wait.
London – 11 am Friday
Alison was frustrated.
Two hours had passed, and nothing new had been uncovered to help her catch lul, despite Evan and her now hunting like a pack.
If not for the Game Master’s message and Evan’s story, I’d swear lul was still buried in whatever God-forsaken pit he found when I broke SF and The Shadow a decade ago.
She called Evan over the intercom.
“Hey, Evan, any response from your cyber chum?”
She knew it was bad news from the long pause before he replied.
“I sent Z a message on our private chat. However, I need to tell you that he ghosted me a few days after my friend met lul in 2012. I’ve messaged him multiple times on our chat and on several black hat forums, but he never replied to me. The only thing I can confirm is that someone received the message I sent him this morning.”
Alison tried to make her voice cheerful as she thanked him. However, her heart wasn’t in it.
Time’s running out. Nick is only an hour away from landing in Sydney. When we chat, I need some answers. And they aren’t just for him – I’ve got some big questions to ask.
After that message from the Game Master, Julio Estévez from the NSA was no longer at the top of her list.
She was rapt when Adam called.
Accepting the call, Alison was comforted at hearing her friend’s deep voice.
“Hey, Ali. Just letting you know I’ve arrived in Sydney. I checked the arrival gate for Nick’s flight, and I’m on my way over there to meet him. Fyi, his plane’s due in forty-five minutes. While I wait, is there anything I can do to help?”
Alison could tell he was walking at a great rate of knots, despite his voice staying even. She suspected he was still super-fit and energetic.
“No, Adam. That’s great. And thanks so much for this. I owe you dinner next time I see you.”
They chatted briefly until an alert sounded on Alison’s computer. Alan Watson had just performed another check for any new emails detailing Nick’s location.
“Sorry, Adam, but I’ve got to go. Something just came up.”
She hung up before Adam could respond, then used her backdoor to access the hacker’s email server. She was surprised to see the security log had recorded the same location as the previous day. Alan Watson was still in the outer southwestern suburb of Campbelltown.
At least I can let Nick know his quarry has gone to ground. And judging by the time I Sydney, it looks like he’s settled in for the night. If Alan doesn’t realise I’ve breached his server, Nick won’t require much time to catch his prey.
However, Alison suspected her elusive prey would not be that simple to catch.
And if Alan does know Nick’s following him, he’s probably leading Nick into a trap.
Griffith - 9 pm Friday AEDT
Z was rapt Lucy Davies proved to be an early riser and opened the attached file within thirty minutes of him sending the email.
As soon as she did, Z was inside her computer.
I still have an hour until Action Man lands in Sydney. That’s ample time to build some nice gallows to hang him on.
As Anthrax’ raucous anthem “Madhouse” wailed throughout the house, Z had a quick look through her computer. It was apparent Action Man had used it – an account called “Nifty Nick” existed. It meant Z didn’t need to make one on Davies’ behalf.
And what an appropriate name for what you’re about to do, Nifty – I couldn’t have picked a better title for my Action Man sucker phish.
Z checked her activity and emitted a smug, self-satisfied sigh. She’d already emailed her brother about the message from her trusted friend, Jenny Wong.
All I have to do now is sit back and watch the magic happen when Davies responds to his stupid sister’s email.
Over the next hour, Alan continued reading through the Project 831 documents though it was hard to concentrate knowing Nick Davies’ end was nigh.
That was until he found the short video from Guantánamo Bay.
He couldn’t finish watching the initial test on the first four subjects. Seeing the effect of their eight-second exposure to 831, he felt his stomach heaving and ran for the bathroom.
Unfortunately, he wasn’t fast enough.
As red-wine vomit spewed from his mouth and splashed off the cold bathroom tiles in a myriad of directions, Alan fell to his knees. The first wave felt like it dragged on forever. Yet, after finishing two bottles of the local red, he knew there was more to come.
Much more.
He caught a quick glimpse of purple-stained chunks and splotches across most of the bathroom floor and splash marks up the first foot of the wall before his stomach told him more red wine was about to make its comeback.
It took a minute before his stomach had settled enough for him to hear the alert. Its distinctive tone inspired him to jump to his feet. Davies’ phone had reappeared.
Teetering slightly with the sudden rush of blood and alcohol, he considered his inebriated state, then carefully made his way out of the bathroom as fast as he dared.
Once seated in front of his tiger box, Z quickly checked Nick’s location.
Ah. There you are, Action Man – Sydney airport. As I expected, you caught the corresponding flight from Beijing as me. Well, I’d like to welcome you to Australia, though your time here will not be enjoyable. It’s going to be a lot shorter than you expect. And you will hate how it ends.
Alan pumped his right fist in the air in jubilation. He couldn’t wait to watch the next few hours play out online. His main regret was that he wouldn’t see any of it in person.
However, that was not all he couldn’t see.
I hope you enjoyed this chapter enough to click the heart-shaped LIKE button below. And if you have any suggestions to help make the story better or you simply want to encourage me as a storyteller (either would be appreciated), please leave a comment.I’ve put a note on this song as it discusses the mental illness struggles of Jenna, the sister of the band’s lead vocalist Jonny Hawkins. Click HERE to see the official video … and please watch it to the end. It’s not heavy metal per se, and the quote & stats at the end should make everyone stop & evaluate what truly matters in this mixed-up world
Configuring any account with Two Factor Authentication (2FA) means a hacker can only take over that account if they have both your password for that account + whatever you have configured as the second factor (usually, a message or alert to your mobile phone). There are ways around 2FA, but such hacks are much harder to pull off.
Please ensure 2FA is configured on all your online accounts (including banking, email & social media). To find out how, simply google “2fa” plus the account you want to configure 2FA on (e.g. “2fa facebook”), then follow the steps.
Note: If you can’t find the steps for 2FA, try searching with the term “mfa” instead (e.g. “mfa gmail”). Fyi, MFA stands for multi-factor authentication
If you want more info in everyday language, check out HERE