According to internet sources, Eugene Pupov is not a student at Coventry University.
Since the campaign’s recent widespread launch, security experts and internet sleuths have been scouring the internet to discover the actor responsible for yesterday’s “Google Doc” phishing worm. As parties continued their investigations into the phishing scam, the name “Eugene Popov” has consistently popped up across various blogs that may be tied to this campaign.
A blog post published yesterday by endpoint security vendor Sophos featured an interesting screenshot containing a string of tweets from the @EugenePupov Twitter handle claiming the Google Docs phishing campaign was not a scam, but rather a Coventry University graduate student’s final project gone awry.
Several folks on Twitter, including Twitter verified Henry Williams (@Digitalhen) have pointed out a serious flaw in the @EugenePupov profile.
This twitter account, which fraudulently used a profile image portraying molecular biologist Danil Vladimirovich Pupov from the Institute of Molecular Genetics at the Russian Academy of Sciences, has since been deactivated.
Coventry University’s communications team quickly responded on social media denying all claims that anyone named Eugene Pupov is a current or former student.
Something clearly is “phishy” about this situation.
Despite the university’s recent announcement discrediting claims of enrollment for a Eugene Popov, I would like to hypothetically explore the theory that yesterday’s campaign was a result of a student phishing research project that went terribly viral. Our PhishMe Intelligence teams identified and obtained the campaign source code and noticed that the most notable aspect of this phishing campaign was its uncanny ability to self-replicate and spread. From our vantage, there is no outward evidence indicating data was stolen or manipulated as previously alleged.
The list of domains created for this alleged “student demonstration” stinks like rotten phish.
googledocs[.]gdocs[.]download
googledocs[.]docscloud[.]download
googledocs[.]gdocs[.]win
googledocs[.]gdocs[.]pro
googledocs[.]g-2Dcloud[.]win
googledocs[.]g-2Ddocs[.]win
googledocs[.]g-2Dcloud[.]pro
googledocs[.]g-2Ddocs[.]pro
googledocs[.]docscloud[.]win
As a career-wide security researcher and current leader of phishing intelligence research teams, this list of domains is concerning. Typically, when a researcher is creating proof-of-concept code for a white paper or presentation, the naming conventions adjust the URLs to showcase their malicious or fraudulent nature for education purposes, examples being:
- “foo-example.com”
- “evil-mitm-site.com”
- “hacker.foo.example.com
If the party responsible intended to showcase educational materials that had any potential to unintentionally mislead a victim, they would typically create one, possibly two, examples to help avoid such scenario. A similar example of this would be the puny code phishing sample recently covered in WIRED where the researcher created one puny code example domain.
What’s most concerning here is the number of googledoc look-alike domains. In most best practice scenarios, a legitimate security researcher would not typically register 9 domains to illustrate a point or to educate on a threat vector. This behavior pattern is most noticeably tied to malicious actors with real nefarious motivations behind their actions.
It may be some time before the true motives of the phishing worm author are revealed, however we are inclined to believe there is a very good chance that malicious intent was in development during this campaign, the execution of which snowballed quickly beyond the author’s desired scope.
