Fake press release, real awareness campaign. To attract the attention of specialist journalists to the launch of a new awareness campaign, the public interest group Cybermalveillance has just relied on a phishing email prepared with the communications agency Omnicom. An operation which, by coincidence, occurs a few days after a massive test carried out by the Île-de-France gendarmerie.
Sent on the morning of Friday March 15, the fake press release announced an exceptional event around a new artificial intelligence tool, an evening at the Grand Palais in the presence of Daft Punk and a certain president “Emmanuel M.” . Interested journalists then just had to scan a QR code to learn more and reserve their place.
Lexical proximity
But several clues suggesting that something was wrong had been sown. First, the content and tone of the email. The message announced the launch of “Open Mistral AI”, a fictitious name playing on the proximity to “Mistral AI”. This French start-up had already opened access to its artificial intelligence tool on February 26.
As for the presence of Daft Punk and Emmanuel Macron, it was very doubtful. The musical duo is in fact no longer active. And the presence of the President of the Republic would have been more highlighted or left to the initiative of the Elysée. Latest clues: if the email was indeed sent from the email address of an Omnicom agent, the message also displayed as sender the address [email protected], a domain name that exists but without an active website . Finally, the reply address of the email message referred to a Cybermalveillance mailbox.
Clicks and reports
In total, nearly 30% of the targeted journalists got caught by flashing the QR code – there are tools like 4qrcode for example to test content – inserted in the fake malicious email. The QR code referred to the press invitation organized for the (real) Cybermalveillance press conference.
An opening rate which is, however, only one of the variables to observe during this type of awareness campaign. The number of reports of a suspected malicious message is therefore important data. As a cybersecurity expert pointed out on LinkedIn, all it takes is one click to open access to an intruder.
Suffice to say that after a mass mailing, there will always be a door that will be open. The reporting time to the teams in charge of security is therefore crucial. The sooner they are informed of the launch of a malicious campaign or an unfortunate click, the sooner they can act.