Prankster Turned Gamekeeper: Phishing and Whaling with James Linton by@jamesbores
384 reads

Prankster Turned Gamekeeper: Phishing and Whaling with James Linton

tldt arrow
EN
Read on Terminal Reader

Too Long; Didn't Read

In 2017, James Linton was working as a digital UX (User Experience) designer, with no idea what a few pranks over the next few months would lead to. Now, having phished international banks and the White House, he works on helping people to understand all forms of phishing and whaling.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Prankster Turned Gamekeeper: Phishing and Whaling with James Linton
James Bore HackerNoon profile picture

@jamesbores

James Bore

Security professional, homebrewer, amateur butcher, techie, board gamer, and beekeeper....

About @jamesbores
LEARN MORE ABOUT @JAMESBORES'S EXPERTISE AND PLACE ON THE INTERNET.

Credibility

react to story with heart

In 2017, James Linton was working as a digital UX (User Experience) designer, with no idea what a few pranks over the next few months would lead to. Now, he works on helping people to understand all forms of phishing and whaling.

Nowadays phishing is a well-known term, and has split into a myriad of others such as whaling, spear phishing, vishing, SMishing, dishing, and ever more niche terms. While phishing started off referring to just e-mail, now it covers any form of attack relying on impersonation fraud which uses electronic communication. Spear phishing is a form of phishing which is at least partly targeted, customised to the recipient, and it becomes whaling when that recipient is a high-profile individual.

Back when Linton was starting out, it was all spear phishing, not that he was familiar with it the first time he did it.

Teach a Man to Phish…

“I was the office joker. I call it joking, it’s probably bordering on just being nasty. I’d get my friend’s electronic cigarette and dip it in chilli, put it back on his desk. So it was just taking those hi-jinx and going digital.

“I think the trigger was just staring at my inbox, and as I was working in UX I was thinking about how we try to reduce technical information to make the experience more human. We’d just switched to GMail, and I was looking at the messages and realised there was just nothing of a person there.

“My CEO had sent an email to us all and we were laughing at some of the things he’d written, and I just thought there’s nothing there. There’s no voice, there’s no face, I’m just trusting that this is from him. I didn’t feel the need to click and look at the header detail or anything like that. So the next step was, well, if I pretended to be him and matched that sort of tone, I knew I wouldn’t click to reveal the email address from the display name.

“I can’t remember exactly what I wrote. Something along the lines of come to the meeting room after work and if you’ve got a solicitor inform them of the meeting. It was a bit close to the bone, I guess, and I sent it and saw it appear on his second screen. I was waiting for him to click it, and it turns out he never checks that screen. Eventually he did, and I saw him read it, and the second he finished he just turned to look at me as I was cracking up, so that first attempt didn’t work.”

It wouldn’t take long for Linton to see the potential of the approach, and put a little more thought into his next attempt, letting a colleague on another floor know that he’d been selected for the Intercompany Games, to be flown out to compete with luxury food and accommodation. Recruiting a spy on the same floor let him keep updated on what was happening. The colleague fell for it, and was delighted at being selected.

“I guess empathy wasn’t high on my list of things at the time. I justified it with what I saw other people doing. YouTube videos of pranks, Jeremy Beadle, growing up with all these rebellious tribal causes. It seemed justified, as long as someone found it funny you could do things like this.”

Very quickly, that humour would change as Linton learned an important lesson. “He was now walking up to the actual CEO to thank him for the honour, and I really did feel sick very fast. It was imploding on me, and the lesson is ‘don’t pretend to be somebody while they’re still in the building’.”

“Don’t pretend to be somebody while they’re still in the building.”

The First Strike

After a few close calls involving assigning secret missions to colleagues from the CEO (along with some emergency abort messages), Linton stepped back from phishing work colleagues. It would take a grudge for him to step up into what’s now known as whaling (then known as spear phishing).

“I’d had a bit of back and forth with Barclays. Even the Financial Ombudsman had been involved, and I just felt it was kind of over. I’d lost the argument, and I felt a bit aggrieved by that. It wasn’t in my favour, but that didn’t mean I can’t have the last laugh, I guess.”**
**

image

Jes Staley was the CEO of Barclays at the time, and recent headlines had been heavily into his attempts to silence a whistleblower in 2016. John McFarlane was the chairman of Barclays at the time, and when Linton came across an article talking about the whistleblowing story he latched onto it.

“It was around 8pm at that time, so I created a Gmail account again, and looked at the news article. I’d read about the chairman and thought that’s a good dynamic. It encourages a candid conversation, especially after a tough day you’d both been involved in. I started to think about what would he be doing now? Crying at a McDonald’s drive through? Sitting in a chair at the club smoking a cigar?”

It turned out later that Staley was at home at the time, and on his iPad. Most devices at Barclays had a warning visible for external email senders, but mobile devices were exempt (they changed the policy shortly afterwards).

This time the prank had gone a bit further than the office, and the media took notice. After sending the screenshots to a few journalists, the Financial Times picked up the story and published it. Celebrity followed quickly.

“I didn’t get any work done. People were high fiving me at work and talking about this win for the little man. And I guess this was all the addictive packaging that fueled the next step. I thought well, I want to build something out of this little thing. What are its components? Can I do more of it?”

“I think the main thing was people being surprised because they just didn’t know the scale. Anyone could set these things up on a phone, free email account, and pretend to be somebody else to the CEO of a bank.”

After that initial success with Barclays, things escalated rapidly, with cheerleading from Twitter providing encouragement.

Trolling The Bank of England

Sticking with the bank theme, another target was Mark Carney, the Governer of the Bank of England. To his credit, a sexist remark from the fake Anthony Habgood, then Chair of Court at the bank, was quickly struck down.

image

The bank raids continued, with Wall Street banks added to the target list.

“I felt like I could reach anyone’s inbox, barring getting caught by a filter. And then people started to send me email addresses.”

As Linton was posting his trophies on __Twitter__at the time the political leanings were a strong influence. Impersonating Steve Bannon to editors at Breitbart, such as Alexander Marlow, was revealing.

image

Phishing the Whale

Up to this point Linton’s identity wasn’t publicly known, beyond small circles of friends and family. That would very quickly change with the most famous and dramatic prank of them all. Also the one that turned out to be a step too far for his employer at the time. Best if he tells it in his own words.

“I noticed that our management at work were in this glass-sided meeting room, which was unusual, out of character. And I thought I wonder if that’s about me. I think it 100% was, because I can’t remember if it was a day later or a couple, but we were owned by big US companies, so they had to consult with the owners.

“From a legal standpoint, it was what they had to do. I was suspended, not allowed back to my desk, not to contact anyone I worked with and they weren’t to contact me. My computer was put into a big sealed bag and sent off for testing. I guess they were thinking it’d be full of malware, and viruses, and stuff, but it would just have been screengrabs of email conversations.

“I didn’t really know what criminals did. Didn’t have the skills to do that. Never really did anything to cover my tracks.”

And what was the whaling incident that brought things to this point?

image

**
**It may have been the successful impersonation of Donald Trump Jr to Eric Trump, or a number of other pranks against then-President Donald Trump’s White House at the time. It certainly got attention.

Saving the Whales

The future looks very different, with years of learning and understanding the principles of what he instinctively grasped in his early pranks now being put to use to protect people rather than impersonate them. A mix of speaking engagements, training content, and trying out new ideas with his new venture The Whole and a new approach to modelling out phishing threats make up a few of the threads he’s working on, but the key to it is enjoying what he’s doing.

There’s no aim for a big exit, or investment hunting, simply pursuing the freedom to try out ideas, use the ones that work, and do his own thing.

“You could do x, y, z and then in three years you could exit. Well, I found joy in building this company. I want to keep developing it. Why would I sell it or give it away? It’s not about that. It’s about having something that I’ve built.

“Worst comes to worst, I’ll just give it all up and go back and do art or some writing or I’ve got some film ideas. I’m loving this at the minute, but if that changes I will check out tomorrow, do something else. I don’t feel I have to conquer the tech world by any stretch of the imagination.”


To find out more about what Linton is doing now, and to chat to him about his training content, talks, and ideas, you can find him onLinkedIn

RELATED STORIES

L O A D I N G
. . . comments & more!
Hackernoon hq - po box 2206, edwards, colorado 81632, usa