Intelligence Services Get Phishing Licenses

Digital security lockNew York Times journalist Ben Hubbard was targeted by a spear phishing attack designed to deliver NSO Group’s Pegasus spyware, researchers at the University of Toronto’s Citizen Lab have concluded. In 2018, Hubbard received an SMS message on his iPhone containing Arabic text that translated to “Ben Hubbard and the story of the Saudi Royal Family.” The message was accompanied by a link to arabnews365[.]com, which has since been tied to a Pegasus user associated with the Saudi Arabia’s government.

Hubbard was suspicious as soon as he saw this message, so he didn’t click the link. Instead, he searched the Internet for “Ben Hubbard and the story of the Saudi Royal Family,” and didn’t find any results. He also contacted Arab News, a real Saudi Arabian newspaper, which confirmed that arabnews365[.]com wasn’t one of their domains. Hubbard eventually turned the message over to the researchers at Citizen Lab, who determined that the domain was connected to the Saudi-linked Pegasus operator. If Hubbard had clicked the link, the Pegasus operator would have gained full access to his device.

The Citizen Lab researchers provide some interesting insights into why Hubbard was able to avoid falling for the attack.

“Academic research on journalist security shows that journalists do not share the same digital security practices and perceptions across the profession,” they write. “For example, a study found that a common mindset for journalists is to only prioritise digital security if they perceive the stories they are working on as sensitive enough to attract the attention of government authorities. Echoing these findings, ongoing research by the Citizen Lab finds that investigative reporters tend to take digital security more seriously than their peers who work on non-investigative beats, and have higher familiarity with digital security tools and practices.”

The researchers note that this type of familiarity with security practices doesn’t always come naturally, even when people work in situations where they should be wary of social engineering attacks.

“As an investigative reporter covering a sensitive topic, Ben Hubbard was wary of suspicious messages and chose to share the one he received with us for analysis,” they continue. “Yet, not all targeted journalists are working on a topic where the risk of surveillance may be so obvious. Some studies show that differences in education and training, alongside other variables such as financial incentives and institutional culture, may play a key role in closing or compounding gaps in digital security practices.”

New-school security awareness training can create a culture of security within your organization by teaching your employees to approach everything they do with a security-focused mindset.

Citizen Lab has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews