My Wall Street phishing trip

EMAIL PRANKSTER vs WALL STREET

Fast trying to rationalise my targetting of Barclays Bank and the Bank of England I felt a trip across the pond was in order – let the dust settle.

It brought with it more challenges: time zone differences, subtle language variations etc. But I was very keen to see how the US stacked up against the UK.

Lloyd Blankfein was the first US Banking CEO that my OSINT stumbled across, and that seemed as good a target as any to get the ball rolling.


Target 1: Lloyd Blankstein
Goldman Sachs CEO


From: Harvey SchwartzMe – [harvey.schwartz.gs@outlook.com]
Sunday, June 11, 2017
To: Lloyd Blankfein
Subject: You Killed it!

Just read that your ‘how did infrastructure week go?’ Tweet won some online award for most humorous tweet – Trump will be so pissed

Harvey

Sent from my iPhone

Notes: The tweet did not win any awards


From: Lloyd Blankfein
Sunday, June 11, 2017
To: Harvey SchwartzMe

I tweeted when landed in China how good their infrastructure was and that we had to catch up….seemed like a good way to bookend my trip.


From: Harvey SchwartzMe
Sunday, June 11, 2017
To: Lloyd Blankfein

Absolute genius Lloyd. You’ve never thought of heading for Vegas with a stand-up act?!

You’d clean up. Although all the girls and gambling… A man could get easily corrupted


From: Lloyd Blankfein
Sunday, June 11, 2017
To: Harvey SchwartzMe

I’d settle for getting away with it.


From: Harvey SchwartzMe
Sunday, June 11, 2017
To: Lloyd Blankfein

As would I.

I bet Trump tries to get his own back by touring with Julio Borges!

Trump has no sense of humour anyway, he’s a relic of the old ways, drunk on power and a serious danger to America.


The End


Act 2. Two birds with one stone.

My Twitter profile had attracted enough media attention by now that I could post a new email prank and it would often become a published story.

This is exactly what happened with the Lloyd Blankfein exchange, just a few hours passing from the time I tweeted it until the first story appeared online.

Keen to keep pushing the complexity I decided that the hot-off-the-press story would become the ‘hook’ for my next target; Citibank.

Could I get two banks in one day? Using a story about the first prank to build trust in the second? Let’s see…


Targets 2&3:
Stephen Bird & Michael Corbat
Citibank


From: Michael O’NeillMe – [michael.oneill.citi@outlook.com]
Sunday, June 11, 2017
To: Stephen Bird + Michael Corbat
Subject: Have you seen this?

cityam.com/266427/goldman-sachs-boss-lloyd-blankfein-joins-mark-carne-and-jes


From: Stephen Bird
Sunday, June 11, 2017
To: Michael O’Neill Me – [michael.oneill.citi@outlook.com]

Can never be too careful Mike. Hope that’s our real Chairman!
Stephen

Notes: Ah well now I feel bad. I’m afraid it wasn’t Stephen. At the time I did do an actual LOL, which doesn’t happen often. Although part of me wanted to be sure I wasn’t being trolled, So I had to press on for clarification I wasn’t being played with.


From: Michael O’NeillMe
Sunday, June 11, 2017
To: Stephen Bird

I do think we need to perhaps protect our email addresses going forward

Sent from my iPhone


From: Stephen Bird
Sunday, June 11, 2017
To: Michael O’Neill Me

Indeed, we are using a filtering system at the moment which is capturing most spam/non recognised new messages. You’ve probably seen it capture and then ask if you want them released back to your inbox. We can still do more. At least Lloyd was responsive…in the new economy that’s something. Some of his peers are still getting their messages printed out. Lloyd should read “Thinking fast and slow” that might have helped him!
S


From: Michael O’NeillMe
Sunday, June 11, 2017
To: Stephen Bird

Ah yes, I had noticed that system, it works well.

It’s the North Koreans and Russians you need to watch in this day and age. Give them an inch and before you know it your garage door is hacked so it closes on your windshield. An old friend of mine has got trapped in his car like that. He claims hackers, but in his instance I’d say it was the large Scotch he had before leaving the golf club!


From: Stephen Bird
Sunday, June 11, 2017
To: Michael O’Neill Me

Ha ha…i’d blame Putin too


Notes: Finally! A reply from Michael Corbat too…

From: Michael Corbat
Sunday, June 11, 2017
To: Michael O’Neill Me

Can’t open it..

What a great night last eve!!

Thanks for including us.. All the best to Ted and Lizzie!

M


From: Michael O’Neill Me
Sunday, June 11, 2017
To: Michael Corbat

Oh it was nothing, I’m glad you enjoyed it. Same time next year?

I will get out my finest Scotch.


Target 3: James Gorman
Morgan Stanley CEO


Notes: Two days had passed since I had completed the pranks against Wells Fargo and Citibank; and I was actually starting to wonder if it would be possible to successfully dupe someone else so soon afterwards. I decided my ‘MO’ needed a refresh…

I had been toying with the idea of accidental emails; emails sent to the intended target – but dressed up as if they were intended for someone else for a little while now. People have a framework of what a threat should look like, and this (in theory) should disable a lot of the human alarm systems. Incorrectly sent emails do happen – and they ask nothing of the recipient – apart from triggering a certain set of fairly predictable responses; both from the sender and the recipient.

So with that in mind I wrote an email which appeared intended for a journalist, and sent that to my intended target; James Gorman.


From: Alistair Darling Me [alistair.darling@outlook.com]
Tuesday, June 13, 2017
To: James Gorman
Subject: Photo to Include

Katy,

Please find attached my photo to include with the article (it will have to do!). Could you please forward me a link once it’s live?

Thank you Katy

Alistair

Sent from my iPhone


From: Alistair Darling Me [alistair.darling@outlook.com]
Tuesday, June 13, 2017
To: James Gorman
Subject: Sorry – wrong address

I’m sure the last thing you want is a picture of me!

Alistair

Sent from my iPhone


From: James Gorman
Tuesday, June 13, 2017
To: Alistair Darling Me
Subject: Re: Sorry – wrong address

It’s a good picture anyway


From: Alistair Darling Me
Tuesday, June 13, 2017
To: James Gorman

I can’t help but think you’re being kind, the British press were always merciless about my jet black eyebrows.

It should be a good article actually, assuming my eyebrows don’t steal the show


From: James Gorman
Sent: Tuesday, June 13, 2017
To: Alistair Darling Me

Send along when done


From: Alistair Darling Me
Tuesday, June 13, 2017
To: James Gorman

I’m presuming you don’t mean my eyebrows, James.

I can categorically state they are 100% natural

Notes: Ah, so I had indeed painted myself into a corner. Should I be content I had some replies from James; and wrap up?… Or… or do I actually write an article, right now, on my iPhone?


From: Alistair Darling Me
Tuesday, June 13, 2017
To: James Gorman

Here’s the full edit. Makes a good bedtime read I think

Headline: A changing landscape

Many, many years ago I was on a family holiday with my father in South Wales. Even being kind it was a particularly wet, blustery, and miserable day. A day of crumpets by a crackling log fire. Backgammon under blankets using werther’s originals as counters. Hot baths and soup scolding our tongues like fathers Scotch from his dented hip-flask. But we were breaking new ground, plotting a different course. Rucksacks straining at our shoulders like parachutes, boots grasping our feet like clamshells. This was the way of the British ‘holiday’, and this was why we both grinned like Cheshire cats.

Eventually our efforts were rewarded with the most magnificent of vistas. A silver trail of silk cut through the mountains in the distance, and sliced towards us with a roaring and spitting that made us tingle with anticipation. We were there. Our spot. It was time to fish.

My father and I were obsessed by fishing. It consumed our every conversation and every thought. I had been bought a rod at an early age and I was endlessly fascinated by its graceful movements. Like a conductor I held it tightly, the promise of a bite ever hanging in the air.

After a few hours we had caught 8 fine salmon. The rain had indeed brought us good luck today. My father placed the fish in a linen sack, and hung it from a low hanging branch on an old oak tree, ten metres or so back from the rivers edge. We both were so engrossed with the rivers rage that we only became aware we were now not alone on the bank when we heard a snarling and spitting from the tree line behind us. We spun on our heals – my father wrapping one arm around my chest and pulling me tightly against him. I could tell my father was scared, his arm vibrated and his voice stuttered into life. ‘Get back!’ He bellowed, his eyes fixed on the linen sack of salmon. My eyes darted to join his and there beneath it were 3 enormous dogs, sniffing and snorting as they began to circle in towards our supper. One by one they started jumping at the sack, tearing at it like it was made from paper, chunks of glistening salmon tumbling down to be noisily feasted upon.

We both stood and watched as the last of the fish disappeared into the mouths of the rabid dogs. They began to sniff their way back towards the woods, and slowly they vanished from sight. Scales and cotton strips was all that was left behind.

Whilst it was a frightening experience, my father and I did take away from it one important lesson – that being you cannot take chances with the security of both yourselves and your catch. It’s very easy to say it was just unlucky the dogs crossed our paths, but we knew the area was notorious for it. Dogs had been roaming the woods for many years and just because we had never caught sight of them before, it did not mean we were correct to dismiss the risks so readily. It’s exactly the same with security in all areas of finance, to minimize the risks as you don’t think it’s likely is to ignore the definite correlation between time and likelihood. Given an endless expanse of time, eventually, even the remote risks will rear their heads. You will never know if it will occur in the first second, the 10th, or even after 100 years. But eventually your preparation for the unlikely will be called upon. You can count on it.

So the moral of this torrid tale is never reduce the chances from 1% to zero just because it’s easy and convenient to do so. That 1% is as important as it would be if it was 99.9%. This is something we tirelessly enforce at Morgan Stanley to ensure our customers are never left open to risks, and we suggest everyone in the financial industry should follow our lead.


From: James Gorman
Tuesday, June 13, 2017
To: Alistair Darling Me

Excellent. Great personal story to make a critical point!


From: Alistair Darling Me
Tuesday, June 13, 2017
To: James Gorman

I’m so glad you like it. It’s also a little knowing wink and a nod towards Goldman and Citi’s flakey cyber security that’s made rather amusing reading this week.

Whilst I’m on – 1st of July, I’m having an Arabian Nights themed party, it would be an honour if you could attend? I’ve made a rather splendid new cocktail, it contains Martini and Scotch with a few closely guarded secret ingredients. Oh please say you can make it?! I’m trying to hire an actual Camel! But by Christ they are big, I saw one close up and it scared the shit out of me if you pardon my French!


The End.


If you want to read about my White House phishing trip, click here