ProtonMail, a popular encrypted email provider, is warning about a recent phishing attack on customer accounts that may have come from Russian state-sponsored hackers.
The attack attempted to break into ProtonMail accounts belonging to journalists at Bellingcat, an investigative news outlet. The hackers sent fake emails pretending to be ProtonMail’s support team, which asked recipients to enter their login credentials.
Fortunately, the attack failed. However, the phishing scheme underscores how a ProtonMail account can be vulnerable to intrusion, despite the use of end-to-end encryption. “Only the owner of the mailbox has the ability to decrypt the mailbox. Consequently, the most practical way to obtain email data from a ProtonMail user’s inbox is by compromising the user,” ProtonMail said in a blog post about the incident.
Security firm ThreatConnect analyzed the phishing emails, and said the hackers were attempting to trick the victims into handing over their login credentials by claiming their “privacy may have been compromised.” The same email contained a link to change the user’s password and generate new encryption keys. But in reality, the link led to malicious websites at “mail.protonmail.sh/password” and “mailprotonmail.ch,” which were actually under the hackers’ control.
ProtonMail and ThreatConnect uncovered some evidence the tactics used in the phishing schemes match those belonging to Fancy Bear, the Russian state-sponsored hacking group blamed for hacking into the Democratic National Committee in 2016. However, neither company can confidently say the Kremlin was behind the attack.
That said, Bellingcat has fended off several hacking attempts over the years, which it has blamed on the Kremlin. “Yet again, Bellingcat finds itself targeted by cyber attacks, almost certainly linked to our work on Russia,” the publication’s founder Eliot Higgins tweeted last week. “I guess one way to measure our impact is how frequently agents of the Russian Federation try to attack it, be it their hackers, trolls, or media.
“This campaign appears to have just targeted a very small number of people, in the low tens,” he added.
In response to the attack, ProtonMail contacted the webhosts and domain registrars to suspend all the domains used in the phishing scheme. The Switzerland-based company also says official ProtonMail messages will be clearly indicated with a star in the ProtonMail inbox. “There is no way for an attacker to spoof this. This means that it is always possible to tell immediately if an email is fake or not,” it added.