A few weeks ago I suffered a rather impressive phishing attempt via Twitter. I wanted to analyze it, understand why it didn’t work, and how the attacker could have done it…

First, we need to explain the context.

Traveling to Lisbon, on the way back, our Easyjet flight was canceled an hour before departure, with no possibility of other ‘usable’ flights for us, via Easyjet. You can imagine, complicated context, urgency, being installed in the hall of the airport. We didn’t know how to get back, or sleep at night, and how to get our vehicle back in Paris.

Easyjet took care of all our exceptional expenses very quickly. Bravo and thank you to them. The customer service service is very far from perfect, but we must admit, it’s already good on their part and they were very responsive on the refund.
Having a problem is always possible, fixing it quickly is essential, congratulations again to them.
Easyjet is in no way responsible for this phishing attempt, on the contrary thanks to them, the worst is avoided.

Looking back, story of events:

We are Friday evening, the return flight is cancelled. In Lisbon, no EasyJet desk, no employee concerned that we didn’t know what to do with our two children. So we are looking by ourselves for a return flight and a hotel for the evening. Unable to reach Easyjet (customer service is saturated), I use twitter (it is 10 p.m.) and I tag @Easyjet.

Bingo, the community manager answers, and tells me to send a private message. He asks me to give my phone number so that a counselor can contact me. What I do. It is then midnight.

In a private message, I give my mobile phone. I’m waiting for a return, with the impression that someone, somewhere, feels concerned…

Yes… But not really.

1:59 p.m., a sign of life from Easyjet via a What’s app message. Normal, I gave my mobile in a private Twitter message to the community manager. We are then still in Lisbon, but we manage by ourselves: we have a return flight with Vueling in the evening (which costs us so much), and we spent the night in a hotel in the city center.

So, Mohammed from easyjet is nice, he tells me that he will take care of our expenses, but that we will do the steps once in Paris, so there is no need to discuss, I have to contact him the next day, from home.

Ok, easy and normal, to refund me, I must have all the expenses (hotel, meals, taxi, parking…). So I go home and wait until Sunday to contact him.

Well, it gets complicated…

75 / 5 000

Résultats de traduction

star_border

On Sunday, I therefore contact Mohammed. We have the following discussion:

At this stage, quietly at home, several alerts are triggered following this discussion:

  1. How will he make the link between my reservation and this What’s app chat? I am not the person who booked the tickets. It’s not consistent.
  2. Install an app? Why, they already have my info to credit me, I paid for my 4 tickets… It’s not consistent.
  3. The Apple application link… Which also asks me for my credit card number… I think Easyjet has customers who are not on Apple. It’s not consistent to use an Apple-only app… Not very professional.
  4. He asks me what he has to pay me back… Amazing behavior. It’s not consistent.

So I’m suspicious, the answer lacks consistency. I decide to check:

  1. Check if the “Remitly” application has a good reputation. This is the case, but it seems to be used more for transfers abroad, not very professional, without traceability. I do not trust.
  2. Check with the community manager if this is a ‘normal’ process. So I make a twitter message with a screenshot.
  3. Checking the prefix of the number, which I didn’t do on my trip to Lisbon, in the heat of the moment I didn’t think to check.

Bingo, the prefix +254 is the prefix for Kenya… Amazing to have a call from Easyjet from Kenya, it confirms that this message is suspicious. To verify this, a simple Google search:

To confirm that feeling, I have an answer from the community manager, very reactive, is very clear (more than to help me, it must be admitted):

Ok, so this is clearly advanced phishing.

You understand well. These people were monitoring twitter, probably on the tag @easyjet. They then looked for my information (surname, first name, mobile phone), then contacted me pretending to be EasyJet. The objective was most likely the theft of bank data.

Good reflexes

I am therefore happy to have had 4 reflexes:

  1. Don’t give out a number or react in haste (procrastination is a good thing…sometimes). During a phishing, your interlocutor will often ask you to go quickly to avoid you thinking.
  2. I had a doubt, and I checked via a known source the reference of the interlocutor (call your bank, or a reference authority, in my case, the community manager Easyjet).
  3. I became suspicious as the message told me not to follow a normal process. In my case, the installation of an apple application to reimburse me. It’s not in the logic of things, it seems strange.
  4. Finally, if it is an email contact, check the domain name of the email, and by phone, check the prefix and search the number on the internet (sometimes you will find the number marked as ‘scam’). I checked the prefix to find that the origin was Kenya.

How could an intruder, from my Twitter handle, obtain my personal information? Is it simple?

Yes… It’s very very simple.

How to do ?

It’s so simple that I was able to complete the operation in thirty minutes from scratch. I will of course not give the sites here so as not to generate bad vocations, but know that I had to simply use a google search, 2 sites and spend the crazy sum of 1 euro.

These two sites probably have nothing to complain about, but to access them, you have to use Tor, they are not “.ognion” sites, but they seem to filter my IPs using Cloudflare. They obviously like anonymization…

The Tor Browser is a free web browser based on Mozilla Firefox ESR that allows anonymous browsing on the Tor anonymization network.

Wikipedia

The first site makes it possible to know the identity of a user using a nickname. It works on all social networks, it’s free. It uses all the data from your networks for this, and probably files purchased in a very dubious way.

The second site performs the same operation with a first and last name. It allows you to obtain telephone numbers (professional, personal, landline, mobile). This site is paying, but with an affordable price… 1 euro for 7 days!

This site gave me all the information I was looking for, including the phone numbers.

In conclusion

it is very easy to get this type of information. They are for sale on dubious sites accessible by everyone with Tor. Of course, I recommend not to put your credit card number on this kind of website, I for my part took precautions before doing so.

Protecting yourself is complicated. Be vigilant, beware and always check the identity of your interlocutor, whether by email, telephone, chat, what’s app, sms…

These sites are often powered by data theft from other sites, and often you are not even informed that your data is circulating.

A good test

The HaveIBeenPawned site lets you know if your email appears in stolen data files: https://haveibeenpwned.com.

Don’t forget the good gestures

I share with you a short video which reminds you of the good gestures to keep in mind: