/rhetsec_

/other_writing

/visaudio

/eva

clonephishing

The clonephishing analysis focuses on looking at the rhetorical situation to understand the context of the emails, as well as assessing the use of the rhetorical appeals to gauge the clonephishing email's effectiveness. While this analysis broaches the rhetorical situation and appeals, it focuses heavily on the idea of simulation. A noteworthy examination on the Podesta email leak resides at the end and digs a bit deeper into the social implications of what it means to be phished as a prominent political figure, and how that experience can be used for further protection from these types of attacks.

# what is clonephishing?

A clonephishing attack takes an email and attempts to replicate it as close to the original as possible while changing the links to malicious sites. The sender's email address is generally spoofed, so it looks even more legitimate to the unaware. These attacks tend to mimic requests to share documents through places like Google Drive, DocuSign, or Dropbox, prompting users to enter login credentials, which allows the attackers to gain access to their files. They also mimic password resets or other types of account messages. A classic clonephish is the eBay member message, which copies the old eBay emails almost precisely, with an almost-too-real irate customer messaging about where their item is that they paid for and haven't received. While those can also be considered bulk phishing due to their mass mailing, the cloning aspect of the email solidifies their position as mimicry. It explains why they work so incredibly well versus other types of bulk phishing.

# rhetorical situation

Clonephishing emails tend to situate themselves as business communications. Many phishing emails from eBay show replicated messages that are quite convincing. Sent as member communications, the emails usually create a situation in which there is an angry customer who has been reaching out about an item, but "you" (the email recipient) have not responded to them after they've already paid for the item. There are statements such as, "eBay sent this message on behalf of an eBay member through My Messages. Responses sent using email will go to the eBay member directly and will include your email address," and "This eBay notice was sent to you on behalf of another eBay member through the eBay platform and in accordance with our Privacy Policy," which only help to solidify that this is a legitimate communication from eBay and that the situation that's happening - an angry customer - is real, and should be dealt with.

Others rely on the victim to open a link for a shared document, such as the case in DocuSign/HelloFax spoofs, in which an urgent situation is created by requesting a signature or fax review. Invoices are another popular clonephishing tactic, as copies of legitimate emails are readily available and easy to fake. In the case of this Apple invoice, it's situated as a confirmation of an order that will ship within 24 hours.

# rhetorical appeals

Clonephishing emails must rely on existing brand ethos to be successful. Because phishers are not constructing text (or rather, they shouldn't be for a true clonephish,) the attacks usually rely on an existing business relationship to be successful. For example, this eBay clonephish's ethos is constructed through eBay's wording in the communication itself, as well as following the layout of emails from eBay during that period:

By using eBay's own terminology and warnings about email spoofing, the phisher creates ethos through eBay's own reputation and business practices. For example, we see that the email states, "Learn how you can protect yourself from spoof (fake) emails at: http://pages.ebay.com/education/spooftutorial." However, the link redirects to a malicious site.

Interestingly, the link which informs the recipient that they can change their notification preferences is legitimate. Perhaps this was done to quell any suspicion that may have arisen, but it may have just been an oversight. Because this email is constructed as a message from an irate customer named Bluebellvue, the opportunity for the attacker to use emotional language arises. In the message field, Bluebellvue writes,

"I don't understand why you are not answering back.I have made the payment and you said you will provide a tracking number after the payment is done.If you don't replay I am assuring you I will report you at eBay.I am sorry for that but you gave me no choice.Waiting for your answer asap. Thank you!"
The immediate, gut reaction with this language wants to make the recipient panic - how could they have missed all of these emails from Bluebellvue? Surely if the recipient were selling something, they wouldn't have intended to make someone panic. This language also instills fear of retaliation, since the angry customer is threatening to report the recipient to eBay, having implications both as a seller and a buyer on the eBay platform. What potentially damages the ethos of this emotionally-charged message is the text below, which states, "this message was sent while the listing was active. bluebellvue is a potential buyer." If this was true, then why would Bluebellvue have stated they paid?

If it was a mistake on their part, it's believable enough, even with poor grammar and punctuation, because it's expected someone upset enough to write a message like this while the listing was still active would not have the patience to have proofread. The email backs up their claim even further by listing the specific item number and a link (albeit malicious) to the listing itself. Regardless of whether the mention of the message being sent while the listing was active was an oversight or a purposeful intent to get you to click, the combination of mimicry and artful use of rhetorical appeals makes the eBay example a successful clonephish.

This example shows a DocuSign phish, which also relies on brand ethos to be successful. The email is recreated identically to a real DocuSign email. Since DocuSign and other document companies allow personal messages to be written, there is an element of personalization available. In this example, the message reads, "Dear Recipient, please sign this invoice It is an electronically created notice." The language conventions are impersonal and imply a more personal connection, but the email is addressed to "Recipient." It's a curious muddling of informal conventions, especially if this is meant to be a business communication. The attack even goes so far as to include a statement at the end of the email, providing a way to access the document outside of the email: "Please visit DocuSign.com, click on 'Access Documents', enter the security code: 080E7ACAF4."

Since I was unable to see the malicious website as it was taken down, I can only assume one of two things: 1) the security code is completely untrue, or 2) the link to click on was a replicated DocuSign website with the ability to type in that code, since the code is listed as invalid when entered in DocuSign itself. Since either situation is plausible, this statement only helps boost the email's ethos at face value by providing a specific example of evidence that it's real and accessible outside of the email.

# simulation - a special case with the podesta leak

Clonephishing emails are closer than other types of phishing emails to a representation of the simulacrum - a copy of something that no longer has an original, or in this case, a copy of something that has never had an original. To demonstrate this, I'm going discuss the famous Podesta email. If you are unfamiliar with this specific phishing email, it was responsible for one of the most significant controversies in the 2016 presidential campaign. Aside from accusations of collusion, Russian Interference (or rather, the spectacle of Russian Interference,) and conversations that remove the veil that classified the Democratic elite as "common people," the compromise of Podesta's account have shown the inner workings of Hillary Clinton's presidential campaign and have impacted how the public perceives the authenticity of politicians.

It's also created an even bigger spectre of Russian Hackers than before. In a sense, the release of these emails started a progression of blaming Russian Hackers on everything that feels reminiscent of McCarthyism. While there was a concentrated effort on US politicians and defense agencies, knowing that they had targets in 116 countries leads me to believe it was not a matter of focused aggression. It was a success in a long list of targets they were after, some of which included the Pope's Kyiv representative, the punk band Pussy Riot, and numerous Russian journalists and oppositionists. While the breach did have Russian actors, calling Fancy Bear (the group believed to be responsible for the leak) an official arm of Russian Intelligence meant to bring down the United States is founded upon propaganda, a desire for scapegoats, and ultimately a distraction in the midst of all the controversy generated from the breaches themselves.

We can see the clonephish was successful against Podesta for a few reasons. The email succeeded technically because Gmail's spam filter did not detect the bit.ly link. Even though it was a direct copy of one of their emails with a malicious link, the spam filter had no way of telling and let the email go through uninterrupted. Ultimately, this phishing email was successful inherently due to human error. Charles Delavan, the Hillary For America help desk tech contacted regarding the phishing email, responded to the initial inquiry with, "This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on his account."

Delavan then provides a link to change the password as well. But the compromise that follows indicates that Podesta did not follow Delavan's advice and instead clicked on the link in the phishing email. It's at this point where the idea of the email being a simulacrum comes into play. Unsurprisingly, Podesta clicked on the link, even though Delavan provided him with a link to change the password. Since their tech support member stated that the email was legitimate, there was no reason for Podesta to believe that the link contained in the phishing email was dangerous. Comparing the Podesta phishing email to a legitimate email I received on one of my accounts after I tried to sign in while away from home, we see that it has nearly every marker of a legitimate Gmail email, from language to colors and styling:

The phishing email states that Google is notifying them that someone used their password to try and sign in to their Google account from Ukraine and that the user should change their password to avoid becoming compromised. Much like the legitimate email I received from Google, it notified me that someone had used my password to sign into my Google account. The only difference seems to be that the phishing email states an IP address, where the official email does not provide that information but says that "the location is approximate and determined by the IP address it was coming from." This added IP creates a scenario where the phishing email becomes even more believable due to providing an IP address.

The phishing email's "from" tag is listed as "no-reply@accounts.googlemail.com." Legitimate account notices come from "no-reply@accounts.google.com." The likeness is so close that it's unsurprising this would be overlooked when determining whether the email is real. Whether or not the phishers missed this small detail, or were unable to spoof the address properly is undetermined. Still, they were just close enough to where that minute detail did not render the email ineffective. The signature is also only slightly off, with the phishing email stating "Best, The Gmail team," where the real email says, "Best, the Google Accounts Team."

In the end, the phishing email that tricked Podesta became hyperreal. First, it's existence was accepted as real by multiple parties and so passed the first order - a "good appearance" of an alert email from Google. But because the email is a phishing attempt, it passes the second order by "masking and denaturing" the email's intentions. That mask has become its own "sorcery," removing the profound reality, that the email is legitimate and from Google, and fulfills the third order. And finally, because it has become a simulation with no reality that matches the intent of the "good appearance," it has become simulation. Thus, with the four steps fulfilled, the email itself and perhaps phishing emails, in general, have become a simulacrum in themselves.

# final thoughts

Because the email had become a simulacrum to Delavan, there was no indication that it shouldn't have been treated as a phishing attempt. I would venture to say that this is how many of these clonephishing emails operate, especially emails that remain as close to the source material as possible. The trouble with attempting to teach people about these types of phishing emails then is not one where we can point out typical markers such as poor grammar or an improper email header. Indeed, those things did exist in the Podesta phishing email, but the variations were so small that it is incredibly easy to look over. The focus on educating about clonephishing then relies on challenging the default setting when reviewing emails in general and perhaps adopting a sort of paranoia about every message you get. While it may sound extreme, we are a bit too trusting in giving our information out as willingly as we do.

Activate Windows
Go to Settings to activate Windows.