<https://www.bellingcat.com/news/uk-and-europe/2019/08/10/guccifer-rising-mon...> A sophisticated phishing campaign targeting Bellingcat and other Russia-focused journalists has been much larger in scope than previously thought, and has lasted at least several months. Bellingcat has identified dozens of targeted individuals across Europe and the US, with the earliest reported attack dating back to April 24 2019, and some evidence suggesting the campaign was in the works since as early as March 2018. The target list of over 30 individuals using the end-to-end encrypted ProtonMail email service includes journalists, researchers, academics, employees of NGOs, and political activists. The one common denominator among them is the Russian focus of their research or activist work. Contrary to previous reporting, we have identified that at least some of the phishing attempts have been successful. Bellingcat believes that this phishing campaign formed a stage of a larger ongoing hacking operation against Russia-focused journalists and researchers, with various methods and tools – some of them without precedent – being deployed against a range of targets both within Russia and abroad. “A Most Sophisticated Phishing Campaign” The active, publicly traceable phase of the phishing operation began in early April, when the perpetrators registered 11 domains intended to impersonate ProtonMail mail-hosting sites. Bellingcat has identified five different domains that were used between April 26 and July 23 2019 when our initial reporting led to a closure of the offending websites. These domains were: my[.]secure-protonmail[.]com (April and May) actions[.]protonmail[.]team (May) mail[.]protonmail[.]systems (June and July) mail[.]protonmail[.]sh (July) mailprotonmail[.]ch (July) Based on an iterative technique termed “timestamp pivoting” , cyber-threat consultancy ThreatConnect were able to identify a further 6 domains registered by the same actor group. Timestamp-pivoting essentially scouts out domains that were registered in close temporal proximity to the known offending domains, on the assumption that cyber-crime actors purchase groups of a domains in single transactions to minimize resources and exposure. mailprotonmail[.]com protonmail[.]direct protonmail[.]gmbh prtn[.]app protonmail[.]support prtn[.]xyz Timestamp-pivoting is not a bullet-proof algorithm and is most likely to be successful with domains registered via smaller registrars. That said, ThreatConnect’s approach did identify two domains that we later confirmed to have been used for the phishing operation. We have not identified phishing traffic from any of the remaining registered domains. The phishing messages were in fact fake ProtonMail alerts suggesting the user’s email account had been compromised or subject to suspicious login attempts. The messages came in 8 different flavors, with one of the following subject lines: “Unrecognised connection was blocked”, “Unknown connection alert”, “Someone knows your Protonmail password”, “ProtonMail unusual network activity”,” ProtonMail suspicious login”, “Keep your ProtonMail account secure”, “New login from unusual place”, and “Someone exported your encryption keys”. The sender optically appeared usually as support[@]protonmail.ch (a legitimate Protonmail service account). However, email headers show that this sender address was spoofed, with the actual sender – visible in the Return-Path variable – being one of three external web-mail accounts hosted at the Germany-based free mail service mail.uk: kobi.genobi[@]mail[.]uk, notifysendingservice[@]mail[.]uk and xavi.alonso[@]mail[.]co[.]uk. We identified that the first two of these accounts have been closed by Mail.de after the initial publications about phishing campaign; however the third one is not closed as of press time. (Our detailed list of questions about the incident and the closure of the two accounts to the owner of the mail service, Mail.de GmbH, were not answered.) [...]