Expert Insights: Anatomy of a Long-Con Phish
A fraudster on LinkedIn used my online profile in an apparent attempt to pull off a wide-ranging scam business venture.
Phishing is one of the oldest fraud techniques online. Phishers often utilize a spray-and-pray method to hit as many potential victims as possible. The aim of such an attack is quick profit via the harvesting of user login or banking credentials. Once the victim surrenders his/her valuable information, the phisher moves on, either to the next victim or a different campaign altogether.
But some phishing attacks are entirely different. For the lack of a better term, I call them "long-con phishing."
I was on the receiving end of one such phishing scam recently. In March, I received this LinkedIn message:
Figure 1:
Even though I was connected to this guy, Tarun Poddar, I had no idea who he was (Okay, I admit, I have way too many LinkedIn connections. But hey, it's LinkedIn.) Mr. Poddar here, who claimed to be a board member at Sequoia Capital, was looking for people who could join him in his new "venture capital firm." His profile showed association with Sequoia Capital and that he had graduated from Stanford University with an Master of Business Administration degree.
Figure 2:
His work experiences showed executive positions at high-profile companies like Apple, Boeing, and Cognizant.
Figure 3:
But if you scroll down on Mr. Poddar's profile and look at his recommendations -- none of them could spell or write in proper English.
Figure 4:
I was mildly amused at how flashy his profile was yet how obvious the phishing techniques were. Never mind a reputable venture capital firm would never look for partners or investors on LinkedIn - the poorly worded recommendations were a classic sign of a made-up profile. I wondered if this was a sockpuppet account, so I googled Tarun Poddar. What came up was quite interesting. I found a press article about his being named Apple's Process Head for Singapore, and another article on him being a "best-selling author" of a book called Love Turns Back. Both were from media sites of questionable quality.
I also found a news article on a Delhi conman, Tarun Poddar, who posed as best-selling author and executives of global brands to defraud unsuspecting victims.
Figure 5:
The article described Poddar, a 24-year-old computer science graduate, swindled a sizable sum from a Delhi woman by promising to get her nephew admitted to a top school. He posed as a best-selling author and a high-power executive with valuable connections. The article went on to say that he had taken a published book, redesigned the front and back covers, and republished it with an online shopping app. He also wrote many of the positive reviews himself for the book.
A further look found that Poddar has a YouTube channel and a SoundCloud account, both claiming him as a best-selling author and a high-flying executive of multinational corporations.
This guy is a piece of work, I remember saying that to myself. I briefly considered humoring him to see how far this would go, but thought better of it - I simply did not have the time. So I did not respond and put that out of my mind.
A few weeks later, I received a LinkedIn message from a different person, whose profile looked like a real professional. Her message to me was simple: "Do you know Tarun Poddar?"
I was intrigued by this and decided to respond: "No I do not."
What transpired after that was quite interesting. She said: "Do you know that they listed you on their website as a managing partner for their new venture fund?" She gave me the URL of Foxhog Ventures, a new "company" started by Tarun Poddar.
For a few seconds I thought to myself, "Is this a sophisticated, coordinated phishing scam to get me to click on the URL?" But I decided that she looked real enough and that this was probably too sophisticated a coordination for them to pull off. So I took a barely used Chromebook and went to Foxhog's website.
Sure enough, I saw my own portrait front and center on their website staring back at me. The caption read: "Chenxi Wang is the Founder and General Partner of Rain Capital...... She serves Foxhog as managing partner."
Figure 6:
That was not all of it. Poddar also runs a newsletter called Budding Beats. He had featured me in one of his newsletters and sent out this message in the WhatsApp group for Budding Beats:
Figure 7:
At that point, I realized that this was not a typical phish. They were not looking for credentials or login information. Instead, they were building up legitimacy in cyberspace for that eventual con.
In a conversation with my LinkedIn informant, she told me that Poddar and his conspirator had built a fake venture business. Putting trustworthy people on their website is one of the ploys to try to attract investors. It was an unsettling experience, seeing my own information and likeness being used in a blatant scam.
According to social engineering expert Rachel Tobac, a sockpuppet or a fake identity phishing is the trait of a long con. Tobac said perpetrators in these cases painstakingly build connections with trustworthy folks to look like they belong. But the real goal is to "either disrupt the legitimate party's reputation, gain access to the connection's private data, or get someone to surrender their bank account information via a scam."
This style of phishing, Tobac said, would take "anywhere from three- to six months for the perpetrator to reap benefit -- they are in it for the long haul."
A look on checkphish.ai with Foxhog's URL revealed that the site is clean. This means that at least the website is not distributing malware. This, and the fact that the site is not actively phishing user credentials, made take-down with domain registrars difficult. So I decided to take matters into my own hands. I wrote Tarun Poddar a message via LinkedIn.
(Article continues on next page)
(Continued from previous page)
Figure 8:
I fully expected that I would not hear a word back. To my surprise, he responded rather quickly:
Figure 9:
My information was indeed removed from their website after that. But I was perplexed. Why would a scammer take time to respond to me and comply with my request?
My friend Aviv Raff, a cybersecurity expert, thinks that Poddar and his accomplice are patiently playing out their long con. "They are still trying to build their reputation," Raff said. "Their game is bigger than you or any other individual."
In the ensuing weeks, Foxhog ventures, Budding Beats, and the associated Fackbook pages have been quite busy. I watched Foxhog jump from one fake managing partner to another, often within the span of a week or two. As recent as 20 days ago, Foxhog venture's Facebook page featured an ad looking for summer interns.
I learned in follow-on conversations with my LinkedIn informant that Poddar had offered jobs to unsuspecting college students to work at his "venture firm." When these candidates found out that he did not have a real company and quit, he would threaten them with legal actions for "illegally quitting" and ask for payments to compensate the firm.
When I showed all this to Raff, he said: "The phisher in this case is not very sophisticated, as he is making many mistakes. But he is also learning in this process. Eventually, he would try to lure reputable investors to either give them money or provide him access to money."
One thing is for sure: Poddar and his accomplices are hard at work. The rate of new content produced by this fake company put the marketing operations of many organizations to shame. The last iteration of Foxhog's website showed that they are now offering corporate training programs, apparently in partnership with Stanford Graduate School of Business:
Figure 10:
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024