substack doesn't give a s*** if its users get phished using its identity
What would you do if it was your platform?
substack was notified today of an email phishing attempt that was targeted at substack users (likely specifically writers that the attackers dislike) and was constructed to explicitly exploit the substack brand identity by using a basic spoof of the substack.com domain.
This attack is an email brand impersonation phishing attack. It is neither random nor a shotgun approach. How the attack was targeted, its timing and coincidence with other events show focused intent.
substack was sent a detailed lay out of the issue with a specific request to notify users of the platform of the possibility of attacks. This would have raised awareness among substack users and lowered the odds of someone being duped by this particular phishing attack.
substack, it turns out, doesn’t give a sh**.
You can see the entire email exchange below. After idiotically repeating what it had been told in the original email notification of the attack, substack “support” said:
Unfortunately, there isn't much we can do to prevent this since it occurs outside of the platform. I'd recommend marking any such messages as spam to 'train' your email provider to automatically remove.
Consider what it takes to make this the crux of your response. In other words, “not our problem”.
If you ran substack and you were alerted of a brand impersonation phishing attack, would you send a polite warning to your user base or would you write a response which essentially expressed the sentiment “fuck our userbase, their security is their problem”?
This is why VST believes that substack is nothing more than a lynchpin of model Fourth Industrial Revolution platform behaviour as explained here:
substack's place in the Fourth Industrial Revolution
Proponents of the Fourth Industrial Revolution would have us believe that a technology-led contraction in the labour force is inevitable, partially thanks to the declining cost of and increasing access to information (at the corporate level). Although humanity has been in a constant economic evolution wherein human labour and technology both factor, the …
Email exchange with substack
To: substack
From: writer
I have been subjected to two simultaneous attempts to hack me through email. You should be aware of this and alert your whole user base of this hack attempt because others will be subjected to it as well. The hack attempt tried to imitate communications directly from substack to trick the user into opening the attachment, and were sent to emails that were associated with substack accounts. This attack could happen to any substack user or writer and it is likely to be a reasonably common attack vector. The perpetrators, based on timing and coincident action, are likely to be associated with either X or Y.
To protect your users please publicise this attack as per the details below. The emails were sent to two separate email addresses that must have required the hacker to have examined substack publications closely and worked out the two target emails by their activity connection through substack. The hackers then sent the same email to each email account.
The Name of the Sender was AccountsPayable@substack.com, making this "address" the most visible thing to the reader.
In actual fact, the Sender address of both emails was accountpayables@prog-survey.jp
The subject was "Proof of payment due remittance Overseas payment-ZA9823165OT9960 Ref#32108 - July 26, 2023"
The body of the message contained only this text: "NOTICE: The information contained in this message is proprietary and/or confidential and may be privileged. If you are not the intended recipient of this communication, you are hereby notified to: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. ------------------------------------------------------------------------- "
The attachment was a 97kb file that was titled the same as the Subject but was a .bin file. Thank you. Please take this hack attempt and method that specifically used substack to target two substack related email accounts as a serious threat vector to your other users. This attack likely originated in this form because substack is a platform that writers commonly use to stand against the fraud of X (who is integrated into the military scientific intelligence industry) and the pro-Ukraine war narrative that Y constantly peddles.
Tex (Substack, Inc)
Jul 26, 2023, 2:45 PM EDT
Hi there,
Tex here from Substack Trust and Safety. Thank you for your message.
This is a type of email alias spoofing in which a spammer sends a message pretending to use a writer's @substack.com address but is actually sending it from elsewhere. These emails are not coming from Substack, hence why you are not coming up in system.
Unfortunately, there isn't much we can do to prevent this since it occurs outside of the platform. I'd recommend marking any such messages as spam to 'train' your email provider to automatically remove.
Please let me know if you have any questions and apologies for the inconvenience.
Tex
To: substack support
From: writer
I know everything that you have written. It is essentially contained in my original email. You seem to have completely missed the entire point of my email to you.
It is obvious that someone is deliberately targeting substack writers with phishing attacks and constructing them to exploit their use of substack by trying to trick the recipient by making it look like substack sent the email (superficially).
I never said these attacks actually came from substack and I know they did not.
The point of my email to you was to request that you tell all of your users and writers that such attacks are being made and that they should be aware of the format, and that substack doesn't send emails formatted in this way.
There are plenty of people who will fall for this. You could reduce that number by communicating to your users.
As it stands, it sounds like substack doesn't give a shit about the safety of its users.
Way to go.
Good tip. Thank you.. One can only wonder at substack lack of interest. ?? Being a domain name owner with IP I would act like you suggest. Maybe substack is part of the "Cabal DS" ?
Just recently I get a reminder from Amazon to be aware of phishing emails and similarly from my banks. It's a stark contrast in business approach.
Also in dealing with these emails, I've had good luck ignoring all emails in the headers and looking at the originating or source sending IP, doing a whois lookup and reporting the raw email to the abuse address provided. Sometimes though the hosting provider of the sending IP isn't the mail provider and when it's separate, the mail provider will almost always include extra custom headers with their own contacts or info. E.g. Mailgun uses other hosters but will have X-Mailgun... etc headers.
For phishing urls I do nslookup on the domain name to get the IP, then whois on the IP for the hoster and report it to them.
For me at least, the effort in doing both of these for serious scam and phishing emails have been fruitful. I don't bother on the regular spammy marketing emails though.