New York Times journalist Ben Hubbard was targeted by a spear phishing attack designed to deliver NSO Group’s Pegasus spyware, researchers at the University of Toronto’s Citizen Lab have concluded. In 2018, Hubbard received an SMS message on his iPhone containing Arabic text that translated to “Ben Hubbard and the story of the Saudi Royal Family.” The message was accompanied by a link to arabnews365[.]com, which has since been tied to a Pegasus user associated with the Saudi Arabia’s government.
Hubbard was suspicious as soon as he saw this message, so he didn’t click the link. Instead, he searched the Internet for “Ben Hubbard and the story of the Saudi Royal Family,” and didn’t find any results. He also contacted Arab News, a real Saudi Arabian newspaper, which confirmed that arabnews365[.]com wasn’t one of their domains. Hubbard eventually turned the message over to the researchers at Citizen Lab, who determined that the domain was connected to the Saudi-linked Pegasus operator. If Hubbard had clicked the link, the Pegasus operator would have gained full access to his device.
The Citizen Lab researchers provide some interesting insights into why Hubbard was able to avoid falling for the attack.
“Academic research on journalist security shows that journalists do not share the same digital security practices and perceptions across the profession,” they write. “For example, a study found that a common mindset for journalists is to only prioritise digital security if they perceive the stories they are working on as sensitive enough to attract the attention of government authorities. Echoing these findings, ongoing research by the Citizen Lab finds that investigative reporters tend to take digital security more seriously than their peers who work on non-investigative beats, and have higher familiarity with digital security tools and practices.”
The researchers note that this type of familiarity with security practices doesn’t always come naturally, even when people work in situations where they should be wary of social engineering attacks.
“As an investigative reporter covering a sensitive topic, Ben Hubbard was wary of suspicious messages and chose to share the one he received with us for analysis,” they continue. “Yet, not all targeted journalists are working on a topic where the risk of surveillance may be so obvious. Some studies show that differences in education and training, alongside other variables such as financial incentives and institutional culture, may play a key role in closing or compounding gaps in digital security practices.”
New-school security awareness training can create a culture of security within your organization by teaching your employees to approach everything they do with a security-focused mindset.