I fell for spear-phishing hook, line & sinker

The e-mail seemed innocuous. Mr Oo Gin Lee, former Straits Times tech editor and my ex-boss, said that he had uploaded some testing materials on his website that could be useful in my job as a gadget reviewer.

Without thinking twice, I clicked on the link in the e-mail, which appeared to be dead.

I made a mental note to inform him about this, but by the end of the day, I had forgotten all about it.

It was not until a few days later, after I received another e-mail from the same sender, that I realised something was amiss.

It took a single WhatsApp message to confirm my suspicions. Gin Lee had not sent me any e-mails. But it was already too late - I had already clicked on the link the scammer wanted me to click.

What really made me let my guard down was the way the e-mail was written: informally, and in a style that  was close enough to pass off as Gin Lee's.

In this case, the link was harmless because it was part of a test conducted by Trend Micro researcher, Mr Ryan Flores, to get past my cyber defences.

He had done his homework. He knew that my job involved testing and benchmarking computer hardware.

He also discovered that I used to work with Gin Lee, who had left The Straits Times to start his own public relations firm, Gloo PR.

He correctly deduced that Gin Lee would use ginlee@gloopr.biz as his e-mail address, which is similar to his Straits Times e-mail address, ginlee@sph.com.sg, that was published in reports.

He spoofed Gin Lee's e-mail address to make it look like it had come from him.

 

The fake website was hosted on the gloopr.com domain, which was specially registered by Mr Flores for this purpose. The actual Gloo PR website is gloopr.biz.

But what really made me let my guard down was the way the e-mail was written: informally, and in a style that was close enough to pass off as Gin Lee's.

In hindsight, there were some telltale signs in the fake e-mail that I had missed.

Firstly, the e-mail did not have the Gloo PR logo and Gin Lee's designation despite it being from his work e-mail address.

More damningly, I missed a big red flag - Gin Lee's name was misspelled as "Gin Le" in the e-mail.

In my defence, the e-mail arrived in the middle of a busy work day - I was more keen on clearing my e-mails than going through them with a fine-tooth comb.

But this was not an excuse to be careless. After all, I had ample warning as I knew there would be an attempt by Trend Micro during that week.

Instead, I had fallen prey to a spear-phishing attack, a malicious e-mail that appears to be from a person I know.

This is a variation of the classic phishing e-mail from someone posing as a legitimate company, website or service provider in order to steal your account details.

Mr Flores had this to say after explaining how his plan worked: "Confirming that the e-mail came from the actual person helps. Paranoia is useful."

A version of this article appeared in the print edition of The Straits Times on April 27, 2016, with the headline 'I fell for spear-phishing hook, line & sinker'. Print Edition | Subscribe