March 28, 2024

Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient’s natural curiosity about being copied on a private discussion, which is modified to include a malicious link or attachment. Here’s the story of a thread hijacking attack in which a journalist was copied on a phishing email from the unwilling subject of a recent scoop.

In Sept. 2023, the Pennsylvania news outlet LancasterOnline.com published a story about Adam Kidan, a wealthy businessman with a criminal past who is a major donor to Republican causes and candidates, including Rep. Lloyd Smucker (R-Pa).

The LancasterOnline story about Adam Kidan.

Several months after that piece ran, the story’s author Brett Sholtis received two emails from Kidan, both of which contained attachments. One of the messages appeared to be a lengthy conversation between Kidan and a colleague, with the subject line, “Re: Successfully sent data.” The second missive was a more brief email from Kidan with the subject, “Acknowledge New Work Order,” and a message that read simply, “Please find the attached.”

Sholtis said he clicked the attachment in one of the messages, which then launched a web page that looked exactly like a Microsoft Office 365 login page. An analysis of the webpage reveals it would check any submitted credentials at the real Microsoft website, and return an error if the user entered bogus account information. A successful login would record the submitted credentials and forward the victim to the real Microsoft website.

But Sholtis said he didn’t enter his Outlook username and password. Instead, he forwarded the messages to LancasterOneline’s IT team, which quickly flagged them as phishing attempts.

LancasterOnline Executive Editor Tom Murse said the two phishing messages from Mr. Kidan raised eyebrows in the newsroom because Kidan had threatened to sue the news outlet multiple times over Sholtis’s story.

“We were just perplexed,” Murse said. “It seemed to be a phishing attempt but we were confused why it would come from a prominent businessman we’ve written about. Our initial response was confusion, but we didn’t know what else to do with it other than to send it to the FBI.”

The phishing lure attached to the thread hijacking email from Mr. Kidan.

In 2006, Kidan was sentenced to 70 months in federal prison after pleading guilty to defrauding lenders along with Jack Abramoff, the disgraced lobbyist whose corruption became a symbol of the excesses of Washington influence peddling. He was paroled in 2009, and in 2014 moved his family to a home in Lancaster County, Pa.

The FBI hasn’t responded to LancasterOnline’s tip. Messages sent by KrebsOnSecurity to Kidan’s emails addresses were returned as blocked. Messages left with Mr. Kidan’s company, Empire Workforce Solutions, went unreturned.

No doubt the FBI saw the messages from Kidan for what they likely were: The result of Mr. Kidan having his Microsoft Outlook account compromised and used to send malicious email to people in his contacts list.

Thread hijacking attacks are hardly new, but that is mainly true because many Internet users still don’t know how to identify them. The email security firm Proofpoint says it has tracked north of 90 million malicious messages in the last five years that leverage this attack method.

One key reason thread hijacking is so successful is that these attacks generally do not include the tell that exposes most phishing scams: A fabricated sense of urgency. A majority of phishing threats warn of negative consequences should you fail to act quickly — such as an account suspension or an unauthorized high-dollar charge going through.

In contrast, thread hijacking campaigns tend to patiently prey on the natural curiosity of the recipient.

Ryan Kalember, chief strategy officer at Proofpoint, said probably the most ubiquitous examples of thread hijacking are “CEO fraud” or “business email compromise” scams, wherein employees are tricked by an email from a senior executive into wiring millions of dollars to fraudsters overseas.

But Kalember said these low-tech attacks can nevertheless be quite effective because they tend to catch people off-guard.

“It works because you feel like you’re suddenly included in an important conversation,” Kalember said. “It just registers a lot differently when people start reading, because you think you’re observing a private conversation between two different people.”

Some thread hijacking attacks actually involve multiple threat actors who are actively conversing while copying — but not addressing — the recipient.

“We call these multi-persona phishing scams, and they’re often paired with thread hijacking,” Kalember said. “It’s basically a way to build a little more affinity than just copying people on an email. And the longer the conversation goes on, the higher their success rate seems to be because some people start replying to the thread [and participating] psycho-socially.”

The best advice to sidestep phishing scams is to avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.


14 thoughts on “Thread Hijacking: Phishes That Prey on Your Curiosity

  1. Billy Jack

    I must admit that there were some e-mails that left me curious, but not enough to actually open any attachment.

    I have one very long-term account that gets too much spam for the account to be of any use, but it is an official contact address that I shouldn’t get rid of. Other than that account, I rarely get any spam any more — maybe one a month — and I’m trying to cut that back to zero by using a different e-mail address for each site that is then relayed to my protonmail address.

    It’s kind of nice. Beginning a couple of days ago, I started posting an e-mail address in my signature block on a certain discussion board so that anyone can contact me if they wish. If that address starts getting spammed, I will just delete that address, set up a new address, and change the address in the signature block. I’m planning on adding that to another discussion board today.

  2. Wannabe Techguy

    Interesting read, even for a “wannabe”. Thanks for this, especially the last paragraph. Though I’ve read this advice before(probably from you) it’s a good reminder.

  3. Mahhn

    It’s time for the world to replace Email as we know it. It is insecure, poor quality methods and programs build on legacy tech that is obsolete. Billions spent on securing an insecure design that is still isn’t secure at the end of the day.
    Time to move on.

    1. don

      You have me in suspense, you can’t just throw that out there without offering a solution, what replaces email? Not text messaging like Teams, that offers no permanent record. Not encrypted email, that does not fix the problem. Back to snail mail?

      1. Max Power

        As I noted in my post below, the solution to this overall situation is to get sites and folks to use passkeys instead of passwords. Not only are they more convenient but they’re also resistant to phishing.

        1. bigp

          passkeys do nothing to help tls downgrading. E-mail servers will fallback to clear text if TLS is not supported. I think the W3C is still trying to figure out a workaround… it’s complicated because an e-mail address does not map to a specific domain or server.

      2. Mahhn

        Wish I had an answer. but alas, no. I expect there will be an open source messaging system in the next couple years that will provide levels of security and compliance with client and sending systems that will last another 50+ years.
        The only thing preventing\slowing that is corporate greed and governments that want control. Same things that ruin many aspects of opportunity for good in this world.

      3. JasonR

        Plenty have document retention enabled in Teams for regulatory and legal reasons.

  4. Max Power

    Just another story which exemplifies the notion of how the sooner we can get folks off of passwords and onto passkeys the better off everyone will be! Well, everyone except for the scammers, that is 🙂

  5. By Way Of Deception

    He looks as if someone had attached Vladimir Putin to a compressor and inflated him for several hours.

  6. sara

    This scenario here is a constant reminder on why you can not be too careful. Although it can be tricky sometimes when the email sent is from someone you know especially if you had had an exchange of files in recent times. And the moment you feel something doesn’t feel right its better you pause, double and triple check if necessary. Sometimes these links come as products or a link to a site to teach a skill for free, it can be tempting to just hit the link without thinking. And once they have access to your login information it is difficult to recover your email. So the question remains how careful can you be?
    Another thing i believe is there are little tells no matter how hard they try to imitate the original sites, but if you are not overly familiar with the site it will be difficult to tell.
    Reading about peoples experiences is very educative, you don’t need a personal lesson here.

  7. Jorge Baumeister

    I recently received one of these, from someone I knew, and also from a SE Pennsylvania business. Instead of opening the attachment I emailed back “Is this legit?” He wrote back “Yes, I sent this to you.” So I opened it, but it was the person who had hacked their account that wrote back. After I cleaned up the mess, it was just a credentials MITM for my Microsoft account. So, maybe Kidan’s email just got hacked and they sent out this phish to everyone in his address book.

  8. Four Colors

    This is why it’s important to be cautious about opening attachments or clicking on links, even if they seem to come from someone you know. Always double-check the sender’s address.

Comments are closed.