• Visit
    • Calendar
    • After Dark Thursdays
    • Buy Tickets
    • Exhibits
    • Museum Galleries
    • Artworks on View
    • Hours
    • Getting Here
    • Visitor FAQ
    • Event Rentals
    • Field Trips
  • Education
    • Professional Development Programs
    • Free Educator Workshops
    • Tools for Teaching and Learning
    • Learning About Learning
    • Community Programs
    • Educator Newsletter
  • Explore
    • Browse by Subject
    • Activities
    • Video
    • Exhibits
    • Apps
    • Blogs
    • Websites
  • About Us
    • Our Story
    • Partnerships
    • Global Collaborations
    • Explore Our Reach
    • Arts at the Exploratorium
    • Contact Us
  • Join + Support
    • Donate Today!
    • Membership
    • Join Our Donor Community
    • Engage Your Business
    • Attend a Fundraiser
    • Explore Our Reach
    • Thank You to Our Supporters
    • Donor & Corporate Member FAQ
    • Host Your Event
    • Volunteer
  • Store
  • Visit
    • Frequently Asked Questions
    • Calendar
      • Today
      • This Week
      • Online
      • After Dark Thursday Nights
      • Arts
      • Conferences
      • Cinema Arts
      • Free + Community Events
      • Fundraising Events
      • Kids + Families
      • Members
      • Special Hours
      • Private Event Closures
    • Prices
    • Hours
    • Getting Here
    • Museum Map
    • Free Admission and Reduced Admission
    • Accessibility
    • Tips for Visiting with Kids
    • How to Exploratorium
    • Exhibits
    • Tactile Dome
    • Artworks on View
    • Cinema Arts
    • Kanbar Forum
    • Black Box
    • Museum Galleries
      • Bernard and Barbro Osher Gallery 1: Human Phenomena
        • Tactile Dome
          • 1971 Press Release
        • Black Box
        • Curator Statement
      • Gallery 2: Tinkering
        • Curator Statement
      • Bechtel Gallery 3: Seeing & Reflections
        • Curator Statement
      • Gordon and Betty Moore Gallery 4: Living Systems
        • Curator Statement
      • Gallery 5: Outdoor Exhibits
        • Curator Statement
      • Fisher Bay Observatory Gallery 6: Observing Landscapes
        • Wired Pier Environmental Field Station
        • Curator Statement
    • Restaurant & Café
    • School Field Trips
      • Getting Here
        • Bus Routes for Field Trips and Other Groups
      • Admission and Tickets
      • Planning Guide
      • Reservations
        • Field Trip Request Form
      • Resources
    • Event Rentals
      • Full Facility & Gallery Bundles
      • Fisher Bay Observatory Gallery & Terrace
      • Moore East Gallery
      • Bechtel Central Gallery & Outdoor Gallery
      • Osher West Gallery
      • Kanbar Forum

      • Weddings
      • Proms and School Events
      • Daytime Meetings, Events, & Filmings

      • Rentals FAQ
      • Event Planning Resources
      • Rental Request Form
      • Download Brochure (pdf)
    • Groups / Tour Operators
      • Group Visit Request Form
    • Exploratorium Store
    • Contact Us
  • Education
    • Black Teachers and Students Matter
    • Professional Development Programs
      • Free Educator Workshops
      • Professional Learning Partnerships
      • Teacher Institute
        • About the Teacher Institute
        • Summer Institute for Teachers
        • Teacher Induction Program
        • Leadership Program
        • Teacher Institute Research
        • CA NGSS STEM Conferences
          • NGSS STEM Conference 2020
        • Science Snacks
          • Browse by Subject
          • Special Collections
          • Science Snacks A-Z
          • NGSS Planning Tools
          • Frequently Asked Questions
        • Digital Teaching Boxes
        • Meet the Teacher Institute Staff
        • Resources for Supporting Science Teachers
      • Institute for Inquiry
        • What Is Inquiry?
        • Watch and Do Science
        • Inquiry-based Science and English Language Development
          • Educators Guide
            • Conceptual Overview
              • Science Talk
              • Science Writing
            • Classroom Video Gallery
              • Magnet Investigation
              • Snail Investigation
            • Teacher Professional Development
            • Project Studies
            • Acknowledgments
          • Conference: Exploring Science and English Language Development
            • Interviews with Participants
            • Plenary Sessions
            • Synthesis, Documentation, and Resources
        • Workshops
          • Participant Portal
          • Fundamentals of Inquiry
            • Summary Schedule
          • BaySci Science Champions Academy
          • Facilitators Guides
          • Commissioned Workshops
        • Resource Library
        • Meet the IFI Staff
      • Resources for California Educators
      • K-12 Science Leader Network
      • Resources for Supporting Science Teachers
      • Field Trip Explainer Program
      • Cambio
    • Tools for Teaching and Learning
      • Learning Toolbox
      • Science Snacks
      • Digital Teaching Boxes
      • Science Activities
      • Tinkering Projects
      • Recursos gratuitos para aprender ciencias
      • Videos
      • Exhibits
      • Publications
      • Apps
      • Educator Newsletter
      • Exploratorium Websites
    • Educator Newsletter
    • Advancing Ideas about Learning
      • Visitor Research and Evaluation
        • What we do
        • Reports & Publications
        • Projects
        • Who we are
      • Center for Informal Learning in Schools
    • Community Programs
      • High School Explainer Program
      • Xtech
      • Community Educational Engagement
      • California Tinkering Afterschool Network
        • About
        • Partners
        • Resources
        • News & Updates
        • Further Reading
  • Explore
    • Browse by Subject
      • Arts
      • Astronomy & Space Sciences
        • Planetary Science
        • Space Exploration
      • Biology
        • Anatomy & Physiology
        • Ecology
        • Evolution
        • Genetics
        • Molecular & Cellular Biology
        • Neuroscience
      • Chemistry
        • Combining Matter
        • Food & Cooking
        • Materials & Matter
        • States of Matter
      • Data
        • Data Collection & Analysis
        • Modeling & Simulations
        • Visualization
      • Earth Science
        • Atmosphere
        • Geology
        • Oceans & Water
      • Engineering & Technology
        • Design & Tinkering
        • Real-World Problems & Solutions
      • Environmental Science
        • Global Systems & Cycles
        • Human Impacts
      • History
      • Mathematics
      • Nature of Science
        • Measurement
        • Science as a Process
        • Size & Scale
        • Time
      • Perception
        • Light, Color & Seeing
        • Listening & Hearing
        • Optical Illusions
        • Scent, Smell & Taste
        • Tactile & Touch
      • Physics
        • Electricity & Magnetism
        • Energy
        • Heat & Temperature
        • Light
        • Mechanics
        • Quantum
        • Sound
        • Waves
      • Social Science
        • Culture
        • Language
        • Psychology
        • Sociology
    • Browse by Content Type
      • Activities
      • Blogs
        • Spectrum
          • Arts
          • Behind the Scenes
          • News
          • Education
          • Community & Collaborations
          • Science
        • Eclipse
        • Studio for Public Spaces
        • Tangents
        • Resonance See & Hear Blog
        • Fabricated Realities
        • Tinkering Studio: Sketchpad
        • Exploratorium on Tumblr
      • Exhibits
      • Video
      • Websites
      • Apps
        • Total Solar Eclipse
  • About Us
    • Our Story
    • Land Acknowledgment
    • Explore Our Reach
    • Impact Report
    • Awards
    • Our History
      • 50 Years 1969–2019

    • Senior Leadership
    • Board of Trustees
    • Board of Trustees Alumni
    • Staff Scientists
    • Staff Artists

    • Arts at the Exploratorium
      • Artworks on View
      • Artist-in-Residence Program
      • Cinema Arts
        • History and Collection
        • Cinema Artists-in-Residence
        • Resources and Collaborating Organizations
        • Kanbar Forum
      • Center for Art & Inquiry
        • Begin Here
          • Lessons
            • Bob Miller/Light Walk
            • Ruth Asawa/Milk Carton Sculpture
          • Workshops
      • Resonance
        • About the Series
        • See & Hear
        • Past Seasons
      • Over the Water
      • Black Box
      • Upcoming Events
      • Temporary Exhibitions
      • Arts Program Staff
    • Teacher Institute
    • Institute for Inquiry
    • Explainer Programs
    • Studio for Public Spaces
    • Exhibit Making
    • Partnerships
      • Building Global Connections
        • Global Collaborations
          • Projects
          • Approach
          • People
          • Impact
      • Partnering with Science Agencies
        • NASA
        • NOAA
      • Partnering with Educational Institutions
      • Osher Fellows

    • Job Opportunities
    • Become a Volunteer

    • Contact Info
    • Newsletter
    • Educator Newsletter
    • Blogs
    • Follow & Share
    • Press Office

    • FY21 Audit Report
    • 990 FY20 Tax Return
    • Use Policy
      • Privacy Policy
      • Intellectual Property Policy
  • Join + Support
    • Donate Today!
    • Membership
      • Membership FAQ
      • Member Benefits
      • After Dark Membership
      • Member Events
      • May Is for Members
    • Join Our Donor Community
    • Engage Your Business
      • Corporate Membership
      • Luminary Partnerships
    • Attend a Fundraiser
      • Wonder Funday
      • Science of Cocktails
      • Party at the Piers
        • Event Leadership and Host Committee
    • Explore Our Reach
    • Thank You to Our Supporters
    • Donor & Corporate Member FAQ
    • Volunteer
      • How to Apply
      • Application for Internships
      • Our Contract
      • Application for Individuals
  • Press Office
    • Press Releases
    • News Coverage
    • Events Calendar
    • Photographs
    • Press Video
    • Press Kits
    • Press Visits
    • Exploratorium Logos
    • Recent Awards
    • Praise for the Exploratorium
    • Join Our Press List
  • Store

Masks and vaccinations are recommended. Plan your visit  

Visitor FAQ Buy Tickets Donate Today
Exploratorium
Exploratorium
  • Visit
    • Calendar
    • After Dark Thursdays
    • Buy Tickets
    • Exhibits
    • Museum Galleries
    • Artworks on View
    • Hours
    • Getting Here
    • Visitor FAQ
    • Event Rentals
    • Field Trips
  • Education
    • Professional Development Programs
    • Free Educator Workshops
    • Tools for Teaching and Learning
    • Learning About Learning
    • Community Programs
    • Educator Newsletter
  • Explore
    • Browse by Subject
    • Activities
    • Video
    • Exhibits
    • Apps
    • Blogs
    • Websites
  • About Us
    • Our Story
    • Partnerships
    • Global Collaborations
    • Explore Our Reach
    • Arts at the Exploratorium
    • Contact Us
  • Join + Support
    • Donate Today!
    • Membership
    • Join Our Donor Community
    • Engage Your Business
    • Attend a Fundraiser
    • Explore Our Reach
    • Thank You to Our Supporters
    • Donor & Corporate Member FAQ
    • Host Your Event
    • Volunteer
  • Store

We Got Phished

by Paul Dancstep • October 20, 2016

  • Facebook logo
  • Reddit logo
  • Twitter logo

Last month the Exploratorium was the target of a cyber attack. This is an account of what we think happened and how we dealt with it.

The story begins on September 6, when an Exploratorium staff member received an email from a familiar mailing list. It contained a link to a shared document, which the employee clicked on, sending her to a page like this:

She logged into her account but couldn’t find the document and, with other more urgent emails to deal with, she quickly moved on and put this brief event out of mind.

This staff member will henceforth be known as PZ, or “patient zero.”

The login page wasn’t really a login page. It was a decoy webpage, designed to look legitimate in order to trick unsuspecting recipients into typing in their private login credentials. Having fallen for the ruse, PZ had effectively handed over her email username and password to an unknown party outside the Exploratorium.

This type of attack is known as “phishing.” Much like putting a lure into a lake and waiting to see what bites, a phishing attack puts out phony prompts, such as a fake login page, hoping that unwitting recipients can be manipulated into giving up personal information.

The period following a successful phishing attempt is known as “the pivot.” This is when the attacker steps back and asks, “Now that I have access, how can I exploit this place from the inside out?” Our attackers spent three days planning what to do next.

At around 10:30 a.m. on September 9, three things happened to PZ’s email account. First, her contact list was deleted. Second, a filter on the account was changed sending all incoming mail to the trash folder. And third, the account began spewing out emails to the entire museum (and all of PZ’s other contacts), each with a link to a phishing login page. The emails had even been customized for our institution; the subject line was “Explratorium Report.” 

Most of us could tell right away that PZ’s email seemed phishy. Unfortunately the barrage of replies PZ began receiving (eg “Are you spamming me?,” “I think you’ve been hacked,” etc.) weren’t showing up in the inbox. By diverting all incoming email to the trash, the attackers had essentially blinded PZ to the fact that anything was amiss. Moreover, once it became apparent that the account had been hacked (people began showing up at PZ’s desk with the bad news), PZ had no way to warn anyone. You can’t alert your contacts not to open a previous email from you if your contact list has been deleted. PZ’s account was erupting with fraudulent emails and there was no way to shut it off or mitigate the damage it was surely causing.

One of our IT specialists received the email and responded with the following message:

Hi PZ,

Did you mean to add me to this?

Two minutes later came this reply:

Just sharing some of out document for the year 2016 with our partners you might be interested in it, I made it secured.

Thank you. 

-PZ

This is not at all how PZ talks. Someone, somewhere, was monitoring PZ’s trash folder and responding to her messages, trying to maintain the illusion of normalcy for as long as possible. 

Our IT department began investigating. Where was the account being controlled from? If you log in to a Gmail account on a web browser and scroll to the bottom right you’ll see a link that says ‘Details.’

Clicking on this brings up a window that shows all of the devices logged into that email account (this may include smartphones, a work computer, a home computer, etc.). When our IT department brought up PZ’s account activity they saw two suspicious-looking logins, one from a server in Fargo, North Dakota, and another from an IP address located in Nigeria.

IT also tracked down the fake login page that the emails linked to. This required some care: the webpage could have been set up to load malware onto visiting computers, which would mean that clicking on the link would lead to immediate infection. The address of this webpage had been disguised in the link using a URL shortener, which IT reverse engineered with a URL expander in order to run a virus scan. The page appeared clean; its only apparent intention was to collect passwords. This webpage was being hosted on another server, this one at a server farm in Texas.

From these and other clues collected using forensic tools in Google Apps and our firewalls, our overall impression of the attack is as follows:

By spreading the attack across many devices, the attackers were hoping to avoid Gmail’s fraud detection system. Emails coming from a domestic server are inherently less suspicious than emails coming in from overseas and, by splitting the parts of the attack between two different hosts, the scheme was made harder to detect. 

Using our Intrusion Detection System, IT determined that 54 people at the Exploratorium had clicked on the malicious link. As one of these 54 all I can say is that–as paranoid as I usually am–this just didn’t trigger an alarm for me.  An email from PZ has high social credibility within the museum and the presence of our museum name in the subject line (even if misspelled) was enough to successfully fake me out. 

“What makes an attack like this so effective is that you never expect to see something as convincing as this,” said Miles Reed, one of our IT systems administrators, “The vast majority of the phishing emails received by the Exploratorium are rejected outright or filtered into spam.” A convincingly personalized phishing attack like this is known as “spearphishing.”

Around the time that PZ’s account was sending its 200th email, Google flagged the activity as suspicious and blocked any further outgoing email from the account. IT sent out a museumwide alert, restored PZ’s account to normal, and had everyone who’d visited the phishing site change their password. After attending to our basic network hygiene, IT set our alerts to a higher threshold to monitor for suspicious login attempts. Indeed, throughout the next several weeks our email accounts were being periodically probed for password weaknesses. These alerts had a chilling quality to them, a bit a like if you changed the locks on your house and then received a note every time someone tried to break in with the old key.

We can only speculate about what these attackers intended to do with our information. Login credentials can be bought and sold on the black market. Networks of compromised computers can be operated as “botnets” to send out spam or take out webpages. Perhaps they intended to capture credit card data from our online ticketing system. In 2013, Target had 110 million customer credit card records stolen by hackers, a breach that originated with a simple phishing attack on one of its subcontractors.

Knock on wood, but it seems like this attack was diverted without any serious negative impacts. This one was more like catching a bad cold then getting seriously knee-capped, although it does leave us in the institutionally sheepish position of having probably given this stupid cold to some of our friends and partners.

October is National Cybersecurity Awareness Month and, as always, it’s flu season on the internet. Maybe this is as good a time as any for you to switch to two-step verification.

Be safe out there.


Blogs

  • Spectrum
    • Arts
    • Behind the Scenes
    • News
    • Education
    • Community & Collaborations
    • Science
  • Eclipse
  • Studio for Public Spaces
  • Tangents
  • Resonance See & Hear Blog
  • Fabricated Realities
  • Tinkering Studio: Sketchpad
  • Exploratorium on Tumblr

Recent Contributors

  • Paul Dancstep
Exploratorium
Visit
Join
Give

Pier 15
(Embarcadero at Green Street)
San Francisco, CA 94111
415.528.4444

Contact Us

  • Plan Your Visit
  • Calendar
  • Buy Tickets
  • Getting Here
  • Store
  • Event Rentals
  • About Us
  • Become a Member
  • Donate
  • Jobs
  • Volunteer
  • Press Office
  • Land Acknowledgment

Get at-home activities and learning tools delivered straight to your inbox

The Exploratorium is a 501(c)(3) nonprofit organization. Our tax ID #: 94-1696494
© 2023 Exploratorium | Terms of Service | Privacy Policy | Your California Privacy Rights |