Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/2/2020
02:30 PM
Chenxi Wang
Chenxi Wang
Expert Insights
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Anatomy of a Long-Con Phish

A fraudster on LinkedIn used my online profile in an apparent attempt to pull off a wide-ranging scam business venture.

Phishing is one of the oldest fraud techniques online. Phishers often utilize a spray-and-pray method to hit as many potential victims as possible. The aim of such an attack is quick profit via the harvesting of user login or banking credentials. Once the victim surrenders his/her valuable information, the phisher moves on, either to the next victim or a different campaign altogether.

But some phishing attacks are entirely different. For the lack of a better term, I call them "long-con phishing."

I was on the receiving end of one such phishing scam recently. In March, I received this LinkedIn message:

Even though I was connected to this guy, Tarun Poddar, I had no idea who he was (Okay, I admit, I have way too many LinkedIn connections. But hey, it's LinkedIn.) Mr. Poddar here, who claimed to be a board member at Sequoia Capital, was looking for people who could join him in his new "venture capital firm." His profile showed association with Sequoia Capital and that he had graduated from Stanford University with an Master of Business Administration degree.

His work experiences showed executive positions at high-profile companies like Apple, Boeing, and Cognizant.  

But if you scroll down on Mr. Poddar's profile and look at his recommendations -- none of them could spell or write in proper English.

I was mildly amused at how flashy his profile was yet how obvious the phishing techniques were. Never mind a reputable venture capital firm would never look for partners or investors on LinkedIn - the poorly worded recommendations were a classic sign of a made-up profile. I wondered if this was a sockpuppet account, so I googled Tarun Poddar. What came up was quite interesting. I found a press article about his being named Apple's Process Head for Singapore, and another article on him being a "best-selling author" of a book called Love Turns Back. Both were from media sites of questionable quality. 

I also found a news article on a Delhi conman, Tarun Poddar, who posed as best-selling author and executives of global brands to defraud unsuspecting victims.

The article described Poddar, a 24-year-old computer science graduate, swindled a sizable sum from a Delhi woman by promising to get her nephew admitted to a top school. He posed as a best-selling author and a high-power executive with valuable connections. The article went on to say that he had taken a published book, redesigned the front and back covers, and republished it with an online shopping app. He also wrote many of the positive reviews himself for the book.

A further look found that Poddar has a YouTube channel and a SoundCloud account, both claiming him as a best-selling author and a high-flying executive of multinational corporations.

This guy is a piece of work, I remember saying that to myself. I briefly considered humoring him to see how far this would go, but thought better of it - I simply did not have the time. So I did not respond and put that out of my mind. 

A few weeks later, I received a LinkedIn message from a different person, whose profile looked like a real professional. Her message to me was simple: "Do you know Tarun Poddar?" 

I was intrigued by this and decided to respond: "No I do not." 

What transpired after that was quite interesting. She said: "Do you know that they listed you on their website as a managing partner for their new venture fund?" She gave me the URL of Foxhog Ventures, a new "company" started by Tarun Poddar.

For a few seconds I thought to myself, "Is this a sophisticated, coordinated phishing scam to get me to click on the URL?" But I decided that she looked real enough and that this was probably too sophisticated a coordination for them to pull off. So I took a barely used Chromebook and went to Foxhog's website.

Sure enough, I saw my own portrait front and center on their website staring back at me. The caption read: "Chenxi Wang is the Founder and General Partner of Rain Capital...... She serves Foxhog as managing partner."

That was not all of it. Poddar also runs a newsletter called Budding Beats. He had featured me in one of his newsletters and sent out this message in the WhatsApp group for Budding Beats:

At that point, I realized that this was not a typical phish. They were not looking for credentials or login information. Instead, they were building up legitimacy in cyberspace for that eventual con.

In a conversation with my LinkedIn informant, she told me that Poddar and his conspirator had built a fake venture business. Putting trustworthy people on their website is one of the ploys to try to attract investors. It was an unsettling experience, seeing my own information and likeness being used in a blatant scam.

According to social engineering expert Rachel Tobac, a sockpuppet or a fake identity phishing is the trait of a long con. Tobac said perpetrators in these cases painstakingly build connections with trustworthy folks to look like they belong. But the real goal is to "either disrupt the legitimate party's reputation, gain access to the connection's private data, or get someone to surrender their bank account information via a scam." 

This style of phishing, Tobac said, would take "anywhere from three- to six months for the perpetrator to reap benefit -- they are in it for the long haul."

A look on checkphish.ai with Foxhog's URL revealed that the site is clean. This means that at least the website is not distributing malware. This, and the fact that the site is not actively phishing user credentials, made take-down with domain registrars difficult. So I decided to take matters into my own hands. I wrote Tarun Poddar a message via LinkedIn.

 (Article continues on next page)

 

 

Dr. Chenxi Wang is the founder and General Partner of Rain Capital, a Cyber focused venture fund. A well-known strategist, speaker, and technologist in the Cybersecurity industry, Dr. Wang also serves on the Board of Directors for MDU Resources (NYSE:MDU) and on various ... View Full Bio
 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.