Phishing is one of the oldest fraud techniques online. Phishers often utilize a spray-and-pray method to hit as many potential victims as possible. The aim of such an attack is quick profit via the harvesting of user login or banking credentials. Once the victim surrenders his/her valuable information, the phisher moves on, either to the next victim or a different campaign altogether.
But some phishing attacks are entirely different. For the lack of a better term, I call them “long-con phishing.”
I was on the receiving end of one such phishing scam recently. In March, I received this LinkedIn message:
Even though I was connected to this guy, Tarun Poddar, I had no idea who he was (Okay, I admit, I have way too many LinkedIn connections. But hey, it’s LinkedIn.) Mr. Poddar here, who claimed to be a board member at Sequoia Capital, was looking for people who could join him in his new “venture capital firm.” His profile showed association with Sequoia Capital and that he had graduated from Stanford University with an Master of Business Administration degree.
His work experiences showed executive positions at high-profile companies like Apple, Boeing, and Cognizant.
But if you scroll down on Mr. Poddar’s profile and look at his recommendations — none of them could spell or write in proper English.
I was mildly amused at how flashy his profile was yet how obvious the phishing techniques were. Never mind a reputable venture capital firm would never look for partners or investors on LinkedIn – the poorly worded recommendations were a classic sign of a made-up profile. I wondered if this was a sockpuppet account, so I googled Tarun Poddar. What came up was quite interesting. I found a press article about his being named Apple’s Process Head for Singapore, and another article on him being a “best-selling author” of a book called Love Turns Back. Both were from media sites of questionable quality.
I also found a news article on a Delhi conman, Tarun Poddar, who posed as best-selling author and executives of global brands to defraud unsuspecting victims.
The article described Poddar, a 24-year-old computer science graduate, swindled a sizable sum from a Delhi woman by promising to get her nephew admitted to a top school. He posed as a best-selling author and a high-power executive with valuable connections. The article went on to say that he had taken a published book, redesigned the front and back covers, and republished it with an online shopping app. He also wrote many of the positive reviews himself for the book.
A further look found that Poddar has a YouTube channel and a SoundCloud account, both claiming him as a best-selling author and a high-flying executive of multinational corporations.
This guy is a piece of work, I remember saying that to myself. I briefly considered humoring him to see how far this would go, but thought better of it – I simply did not have the time. So I did not respond and put that out of my mind.
A few weeks later, I received a LinkedIn message from a different person, whose profile looked like a real professional. Her message to me was simple: “Do you know Tarun Poddar?”
I was intrigued by this and decided to respond: “No I do not.”
What transpired after that was quite interesting. She said: “Do you know that they listed you on their website as a managing partner for their new venture fund?” She gave me the URL of Foxhog Ventures, a new “company” started by Tarun Poddar.
For a few seconds I thought to myself, “Is this a sophisticated, coordinated phishing scam to get me to click on the URL?” But I decided that she looked real enough and that this was probably too sophisticated a coordination for them to pull off. So I took a barely used Chromebook and went to Foxhog’s website.
Sure enough, I saw my own portrait front and center on their website staring back at me. The caption read: “Chenxi Wang is the Founder and General Partner of Rain Capital…… She serves Foxhog as managing partner.”
That was not all of it. Poddar also runs a newsletter called Budding Beats. He had featured me in one of his newsletters and sent out this message in the WhatsApp group for Budding Beats:
At that point, I realized that this was not a typical phish. They were not looking for credentials or login information. Instead, they were building up legitimacy in cyberspace for that eventual con.
In a conversation with my LinkedIn informant, she told me that Poddar and his conspirator had built a fake venture business. Putting trustworthy people on their website is one of the ploys to try to attract investors. It was an unsettling experience, seeing my own information and likeness being used in a blatant scam.
According to social engineering expert Rachel Tobac, a sockpuppet or a fake identity phishing is the trait of a long con. Tobac said perpetrators in these cases painstakingly build connections with trustworthy folks to look like they belong. But the real goal is to “either disrupt the legitimate party’s reputation, gain access to the connection’s private data, or get someone to surrender their bank account information via a scam.”
This style of phishing, Tobac said, would take “anywhere from three- to six months for the perpetrator to reap benefit — they are in it for the long haul.”
A look on checkphish.ai with Foxhog’s URL revealed that the site is clean. This means that at least the website is not distributing malware. This, and the fact that the site is not actively phishing user credentials, made take-down with domain registrars difficult. So I decided to take matters into my own hands. I wrote Tarun Poddar a message via LinkedIn.
(Article continues on next page)
Dr. Chenxi Wang is the founder and General Partner of Rain Capital, a Cyber focused venture fund. A well-known strategist, speaker, and technologist in the Cybersecurity industry, Dr. Wang also serves on the Board of Directors for MDU Resources (NYSE:MDU) and on various … View Full Bio