Nobel laureate economist Paul Krugman has drawn ridicule from information security professionals – and some sympathy – after tweeting his credulous response to an apparent social engineering attack, in an incident that neatly captures the work still needed to educate even the highly educated about online security.
In a now-deleted tweet, the New York Times columnist, wrote: “Well, I’m on the phone with my computer security service, and as I understand it someone compromised my IP address and is using it to download child pornography. I might just be a random target, but this could be an attempt to Qanon me. It’s an ugly world out there.”
On the phone with my security company right now. They’re telling me someone planted Paul Krugman columns in my browser history.
— Asher Langton (@AsherLangton) January 8, 2020
Social engineering scams involving calls claiming to be from IT support are not uncommon. They can form part of so-called whaling attacks, in which high profile individuals including business leaders are targeted with fake emails or calls designed to trick the target into giving attackers access to their computer network.
As the UK’s National Cyber Security Centre (NCSC) emphasises in its board toolkit: “Senior executives or stakeholders in organisations are often the target of cyber attack, because of their access to valuable assets and also their influence within the organisation. Attackers may try and directly target your IT accounts, or they may try and impersonate you by using a convincing looking fake email address.”
Security firm Symantec warns that access to powerful machine learning tools mean an arsenal of audio and video manipulation tricks may soon also become part of such attacks, which are typically highly personalised to draw the attention of executives.
Deleted original tweet. Times thinks it may have been a scam. Anyway, will have more security in future
— Paul Krugman (@paulkrugman) January 9, 2020
With even Nobel laureates apparently convinced merely by a call pretending to be from IT support, however, deepfakes look like overkill: there’s no shortage of low-hanging fruit for attackers. Paul Krugman appears to have got away unscathed, other than taking something of a reputational knock for the initial public response.
“The Times is now on the case” he added early Thursday, January 9.
“Times thinks it may have been a scam.”
(His reference to an attempt to “Qanon me” refers to a far-right conspiracy theory that entails a belief in a satanic “deep state” paedophile ring. Donald Trump has previously retweeted posts by Qanon members and Qanon hashtags.)
The incident comes after the New York Times fired its highly respected Senior Director of Information Security Runa Sandvik, and eliminated the position.