Harry Potter Phishing Attack: Fact or Fiction?

On June 19th a spoiler for the next Rowling book Harry Potter and the Deathly Hallows was posted to the full disclosure mailing list:
(WARNING: If you’re a Harry Potter fan you may want to hold off reading it.) The spoiler was nothing more than a summary of which main characters allegedly die in battle with Voldemort and other rivals.
What is more interesting is how this book was allegedly obtained. The author of the messages claims he launched a phishing attack against Bloomsbury Publishing.

“The attack strategy was the easiest one. The usual milw0rm downloaded exploit delivered by email/click-on-the-link/open-browser/click-on-this-animated-icon/back-connect to some employee of Bloomsbury Publishing, the company that’s behind the Harry crap.”

The claim is that a spear phishing attack was executed against Bloomsbury Publishing staff. Was Bloomsbury Publishing really phished? This telegraph.co.uk story: “Harry Potter ‘hacker’ posts plot on internet” has a quote from a Bloomsbury spokeswoman, “There are lots and lots of rumoured versions of the book (on the internet). We don’t confirm or deny any rumours.”

Did the Bloomsburg phishing attack really happen or was it a hoax? http://phishme.com/ doesn’t know but one would think that if this hack really did happen over a month ago, that the Harry Potter and the Deathly Hallows would be all over bittorrent. I checked a few tracker sites before starting this blog post. All the claims on Demonoid were that the 5 available Deathly Hallows books were either hoaxes or ……..

********** BREAKING NEWS **********
Demonoid has removed all of the hoax torrents and only this one remains:

“I found this on another site, for those of you who simply can’t wait. It only includes the book up to pg.495.
But at least now we can compare the fakes to the real thing.
Enjoy and remember to seed!! ”

This one appears to be someone who has taken digital photos of 495 pages. Now that is someone dedicated to their piracy!

********** END NEWS **********

So it seems that there is still no official full copy on bittorrent but it’s only a matter of time.

In another story by PCmag: Dissecting the Harry Potter ‘Hack’ we read:

“it is conceivable that a successful download-based exploit was launched, according to a member of the hacker community, who asked that his name not be used. He pointed out that hackers have begun to carefully target companies and market segments. A well-crafted attack that uses correct names and titles, and spoofs a sending address from a partner firm, can be highly effective.”

For the record, it’s beyond conceivable, it’s happening now. In the recent incident response projects that we’ve worked the attack vector used to gain a foothold into the organization is a targeted phishing attack. It’s not just a problem for the commercial world either.
Do you think that the DOD is requiring mandatory anti-phishing training because they fear that they might get hacked using this method? Check out this quote from this DOD battles spear phishing article:

“At this point, the true scope of compromise and exploitation is unknown, but likely thousands more users and computers have been, or will be, successfully targeted,” the bulletin states. “

It’s too bad that external penetration testing no longer mimics the ways that attackers are getting into organizations. If you’re responsible for commissioning an external penetration test against your organization, maybe it’s time to do more than full TCP/UDP port scans (*Think social engineering). Today’s myspace generation of attackers don’t even know what UDP is.