Cybersecurity

Fake BlackRock communications are a master class in spoofing and social engineering

Key Points
  • An unknown party released a multi-pronged spoofing campaign aimed at making it appear as if the CEO of giant investment management company BlackRock was making a huge shift in investment strategy.
  • The fake communications included emails, press releases and a painstakingly detailed website.
  • The incident shows how malicious parties can successfully spoof real people and institutions.
Larry Fink, chief executive officer of BlackRock Inc.
Christopher Goodney | Bloomberg | Getty Images

An unknown party sent out a letter touting BlackRock CEO Laurence D. Fink's newfound dedication to environmental causes. A press release quickly followed, debunking the hoax email and also saying such a move wouldn't be good for the BlackRock's "short-term profitability." A BlackRock website was set up to house both these communications. Major media outlets, including CNBC.com and The Financial Times, quickly picked up on the news.

None of it was real.

The entire incident offers a masterclass in spoofing and the potential damage it can do. Like the hacked AP Twitter account that tanked markets in 2013 by tweeting fake frightening news, the spoofs show how common social engineering tactics can be injected into the news cycle, confusing investors and the public.

It's unclear who is behind the incident -- it would appear to be a person or organization with an environmental agenda. But whoever it was, they put a lot of time and effort in a campaign that would put BlackRock on the spot. Here's why it was a good example of the power of well-executed social engineering.

The power of good spoofing

Social engineering is a catch-all term used in cybersecurity to mean the practice of making you feel like you need to do something that is in the best interest of the social engineer, who is often a criminal.

Great social engineering can make you feel like you urgently need to send someone money, or lull you into a sense of security by convincing you a friend, colleague or professional is asking you a simple question.

Some common tactics are: "What's your account password, so I can check your account for fraud?" or "Can you send your latest tax return so we can finish processing your application?" Social engineers essentially find an emotional hook -- your desire to help, your willingness to not create friction or, in this case, the desire of most journalists to be the first to jump on a good story.

The attackers in this case were quite sophisticated. They created a web and email presence almost indistinguishable from the real thing.

The website created by the spoofers is quite detailed. The only "tell" is a URL that points back to blackrockesg.com rather than the real BlackRock web address -- blackrock.com. Every other link on the spoofed website, including references to Fink's past investor letters, leads back to the real BlackRock website.

The original email purporting to be from Fink was long, detailed and included the corporate-speak so common in real investor letters. The spoofers also anticipated a quick denial, and already had a fake press release prepared that itself took subtle digs at the hedge fund, implying it wouldn't take the suggested pro-environmental stance because it wasn't good for "profitability."

"With climatic threats positioned to destabilize markets at ever greater levels in 2019 and beyond, BlackRock is determined to take a leadership role in building a Paris-compliant economy," the fake letter read. "We will begin this work by divesting from coal companies in our actively managed funds. Within 5 years, more than 90% of our 1000+ investment products will be converted to screen out non-Paris compliant companies such as coal, oil, and gas, which we see as declining and endangered."

It was not immediately clear who was hosting the spoofed website, and BlackRock could not be reached for comment on whether they were working to have the site removed.

WATCH: Marriott data breach was four years in the making, say experts

Marriott data breach has been four years in the making, say experts
VIDEO3:1603:16
Marriott data breach has been four years in the making, say experts