The basics of phishing attacks: What journalists need to know to stay safe

by Jorge Luis Sierra
Oct 30, 2018 in Digital and Physical Safety
Person looks at computer screen

Unless they cover technology, most journalists probably could not explain exactly how a cyberattack happens. Yet it’s more important than ever, given recent global events, for journalists to understand how repressive governments or other groups are launching these attacks against them.

In order to defend themselves appropriately, journalists need to know how they can defeat attempts to infect their computers and mobile devices.

First, journalists need to have a basic understanding of what kind of digital weaponry governments are purchasing. Attackers are using powerful and expensive technology developed by private companies like Hacking Team, an Italian company that sells software that steals information from mobile phones, including contact lists, SMS messages, documents, photos, audio clips, videos and passwords. Some cyberattack software covertly records what keys are being struck on a keyboard and can extract data before it is encrypted.

Secondly, journalists need to understand how these hacking tools work. Although there are some differences between them, they basically follow the same pattern: the victim is deceived into clicking a link after receiving a message with a hidden spy program.

A cyberattack typically consists of the following phases:

  1. Infection of the user’s device by injecting malicious software. Attackers will try to deceive journalists by sending a message carefully crafted to look legitimate, trying to get the victim to click on a link or open a document that will actually infect their device. There are three ways that an attacker may try to access a journalist’s laptop or phone; in information security lingo, these methods are known as social engineering, exploits and spear phishing.
  2. Once the malicious software is in the device, it gets to work immediately. If the device is an iPhone, the software waits until the phone is connected and syncing with a laptop. The cyberattack software will then override the phone’s software restrictions — a practice known as "jailbreaking" — allowing for the installation of a malicious program that essentially infects the phone.
  3. The malicious software may actually work best if the infected phone, while plugged in and charging, is connected to a WiFi network controlled by the attacker. This way, the victim won’t detect any sudden battery drain that usually results from malicious software at work.

This is how adversaries mounted an attack on Rafael Cabrera, an investigative reporter for Mexican online news site Aristegui Noticias. Cabrera helped report on whether Mexico’s president favored a major government contractor that built a mansion for the president’s family. The so-called "Casa Blanca" scandal eventually became a major embarrassment for the government.

The first attempt against Cabrera was a phishing attack. Cabrera received an innocent-looking text message supposedly sent by UNOTV, a news service that delivers breaking stories via SMS to mobile subscribers. However, hidden in that message was a version of Pegasus, a powerful surveillance tool that can extract text messages, contact lists, calendar events, emails and instant messages from phones. Pegasus can also harness an infected phone’s microphone to record sound and use its camera to take photos.

The messages were a classic example of spear phishing, because they were carefully crafted and personalized, meant to pique Cabrera’s interest and get him to click on a link. "The president’s office will sue those who published the 'Casa Blanca' story," read one. "Due to 'Casa Blanca' story, the president’s office may put reporters in jail — see the names," read the second.

Fortunately, when Cabrera saw these on his cellphone screen, he immediately started worrying that the messages were an attempted cyberattack. He did not click on the links leading to the false news stories.

Editor Carmen Aristegui and reporter Irving Huerta, who both worked on the investigation, also received text messages reading, "My dad died last night, we are devastated, click here to see the funeral home address."

Thanks to their experience and awareness of the risks involved, neither of them clicked on the links contained in the malicious messages.

To learn more on what to do to prevent these attacks — and what to do if you become a victim of spear phishing — click through the slideshow below:


Spear phishing attacks from Jorge Luis Sierra

Jorge Luis Sierra is an award-winning Mexican investigative reporter and editor and an expert in digital security. Learn more about his work as an ICFJ Knight Fellow here

Main image CC-licensed by Flickr via Christopher Schirner.