She Was a Hacker, He Was a Botnet: A Phishing Love Story

The day my hacker co-worker and best friend decided to open Tinder, I was a bit reluctant about her decision. With two hearts broken in her pocket, plenty of Cosmopolitans, and a couple of nights with a blank space between 12 am and 12 pm, I thought stability was definitely not the right word to describing her current situation.

After two weeks of late-night working trying to intrude into our monthly customer’s network, we finally found an unpatched machine that allowed EternalBlue to do its charms. We were exhausted. We just wanted a hot shower and a warm bed. That’s why I proposed Margaritas.After two rounds and some hot guys in the corner waiting for the right moment to jump in, I proposed my friend to go away for the weekend to a cabin in the woods in the middle of Veluwe. No guys. No computers. No exploits. No malware. No nothing. Just cosmopolitans and maybe some dry martinis. She said yes.

When we arrived at the cabin, the weather was beyond perfect. We swam, we cook, we hiked, we read and we slept. Around 7 pm we started to fill the chills of an autmnish dutch evening and we decided it was the moment to jump in our pyjamas, get some martinis and start to swipe right. We knew that we promised no guys, but technically they were not there. At least that is what we thought.

It was around 9:00 pm when this astonishingly good looking guy started a
conversation with my friend. He was less than 1 km away, so we thought that if things were going right, we may break one rule. Or two:

-Hey beautiful neighbor! How is the wild life treating you?

-Life here is good thanks. This weather suits me very well. 

-Wow! Quite a revelation for a lady coming from Sao Paulo.

Our brains froze a little. How this guy knew my friend was coming from Sao
Paulo? She was always very careful disclosing her personal information in dating apps. Thanks to our pen-tester jobs, we knew that social media was the perfect place for future social engineering attacks.

-How did you know I come from Sao Paulo?

 -Well… I may be honest, and maybe I stalked you a little bit on Facebook.

-Well, that is even weirder because I don’t have Facebook.

There was a long pause when he didn’t answer. We were hyperventilating, not knowing if this guy was going to answer again and astonishingly worried by the fact that according to Tinder, he was less than 1 km away.And then, after 10 min he answered:

-Ok then, what is this over here: <http:…>

We were freaking out. She was freaking out. Her emotions were taking all over her body. She was about to click on the link when I said: "STOP"."Stop. Isn’t this it? Isn’t this what we have been preparing all our adult life for? Isn’t this the reason why we have food in our tables and clothes in our wardrobe?" — I said.All the signs are there:1. An appealing sender2. A message that is triggering an emotion3. Someone asking you to do an action4. A payload: In this case a link.

This is a phishing attack.

She looked at me with a face as she has seen a ghost. In a matter of seconds, she came to her senses. And it all made sense. It was clearly a
phishing attack.

At that moment, we ran to the car. But instead of running away, we took the computers that we left on the trunk and came back in the house. We went straight to the kitchen table, opened our Virtual Machines, and started Kali Linux. And while the dragon was loading on our screens, we had another Cosmo.We copied the link in Virus Total and we created an isolated proxy server to analyze the URL. The URL took us to a site where remote code started to be executed. With the help of Burp, we tried to analyze the source IP where the traffic was coming from, but it was pointless. It was redirecting a small island not so far away from French Polynesia. Clearly, someone didn’t want to get caught.Was she the victim of a Spray and Pray? Most likely not. Why was someone targeting her? We don’t know. There were many questions that still remained unsolved. And many memories that remained from that trip over the weekend.Phishing attacks are a real threat. They can be so subtle, so elegantly done. So natural that even the most seasoned hacker can hardly see it coming. This was the moment when I realized that phishing is not a campaign or part of awareness training. It is a weapon. And a very real one.In the meantime, my friend deleted her Tinder. Not because of the incident of the cabin, but because she downloaded Bumble.

This story was inspired by true events. The names of people and places have been altered in order to secure the privacy of those who are involved.