Email deception
Linton Reborn
How the Email Prankster Became a Cyber Crimefighter
Back in 2017, James Linton hit the headlines under his pseudonym SINON_REBORN as a prolific email prankster, duping both high-profile celebrities and senior politicians. Now, however, he has turned his skills to combatting cybercrime as a threat researcher for Agari. Robert Scammell caught up with Linton to find out how he made the transition
When James Linton “fell out of love” with his previous career as a web developer, he was “flailing around trying to find a new thing to latch on to”.
In such moments of uncertainty, some might retrain, go back to university or learn how to play an instrument. For Linton, it meant sending email pranks to some of the biggest names in politics, business and showbiz.
In an “intense” five-month period in 2017, Linton, from Manchester, UK, tricked the likes of Harvey Weinstein, Mark Carney and Eric Trump, among others, into a series of comical email conversations.
Under the twitter handle @SINON_REBORN, named after Sinon the Greek who tricked the Trojan’s into accepting the wooden horse, he posted hilarious conversations that earned him the accolade “the most prolific prankster of 2017”.
To fool his victims, he used an unsophisticated technique known as display name deception, which gambles on people not checking whether the sender's email address matches the display name. It’s a trick that, if employed with malicious intent, can be used to gather valuable information for spear-phishing campaigns.
But for Linton/SINON_REBORN, the only intent was to amuse. And he certainly did so. When posing as Eric Trump, for example, Linton duped freshly appointed US ambassador to the US, Jon Huntsman with hilarious results.
“Thanks for the thoughtful note,” Huntsman wrote to Linton/Trump. "Russia will be a challenging but no doubt rewarding assignment."
“Maybe we could have Dad sat on a horse, top off, giving the full Putin! He's in better shape than his suits suggest," replied Linton as Eric Trump.
“I invited him to a party with stuffed tigers”
It’s been 20 months since the pranks came to an end, and a lot has changed for Linton.
“In some ways it's flown by, but in other ways it seems like I've done a hell of a lot,” he tells me over coffee in a busy London café.
But before he explains what he’s been up to since the pranks came to an end, I have to ask: who was the last person he pranked; the last hurrah? He’s unsure who exactly was the last, but among them was far-right social and political commentator Ann Coulter.
“Like a lot of things at the time, I didn't really have an idea of what I was going to do,” he says. “I think I had the intention of sending her a bizarre manuscript from this right-wing show that she was then going to comment on. And I was just going to make it hugely fancy.”
Although Linton successfully got her on the hook, he never got around to going through with that particular prank.
But one person he did follow through with at the end was businessman Robert Herjavec, who appeared in ABC’s Shark Tank.
"I invited him to a party with stuffed tigers,” Linton says, as though it’s the most normal thing in the world.
All good pranks must come to an end
As the pranks – which also claimed Steve Bannon and Katie Hopkins as victims – fizzled out, the media interest in SINON_REBORN’s true identity intensified. The Daily Mail was on his tracks, he recalls, sending journalists to haunt his ex’s house.
“I'd not lived there for six or seven years and she had really bad health. It was just causing a lot of stress really.”
In the end, Linton agreed to an interview with the Mail, fearing there was a “subtext” that they would dox him regardless of him agreeing to it.
“To be brutally honest, I just needed the money for that story,” he says. “That was the only reason I did it.”
For someone who has made a name for himself by being deceptive, Linton comes across as refreshingly honest – there’s none of the plastic, PR-polish that can sometimes come with senior executives.
Linton, burly, decorated with tattoos and sporting a shaved head, is a far cry from the pimply hoody-wearing teenager often portrayed in stock images of hackers.
But when the Mail story included pictures of his family, it came as a wake-up call. He decided to hang up his keyboard and find something new to direct his energy onto.
The road to Agari
In November 2017, a month after being unmasked, Linton told Buzzfeed that he was looking for a job in infosec. That call was answered by Markus Jakobsson, the then chief scientist at Agari, a cybersecurity firm that specialises in email protection.
“He'd obviously read my pranks and followed them,” says Linton.
Linton was taken on as a full-time contractor, working as a threat researcher, bringing his hands-on experience of email deception along with him. He’s been at the company ever since.
“In my eyes, it had been a success. I'd not got arrested, I had a bit of fun and I found something that I enjoyed and seemed to be quite good at.”
“In my eyes, it had been a success. I'd not got arrested, I had a bit of fun and I found something that I enjoyed and seemed to be quite good at.”
Linton’s days are still spent on email. Only now, he’s swapped his virtual company from the rich and the powerful to organised criminal scammer groups.
Much of his work is “digesting information” and carrying out “lots of open-source research”. Essentially, that means interacting with members of prolific scammer groups via email, gathering intelligence and trying to attribute crimes to individuals.
One of these groups, dubbed Scarlett Widow, actively targeted divorcees and disabled people on dating sites, scamming some victims out of tens of thousands of dollars via elaborate stories. It’s a widespread problem: the Federal Trade Commission recently revealed that romance scam victims reported losing $143m in 2018.
Another, London Blue, has a database of more than 50,000 business leaders to target with business email compromise (BEC) scams in an attempt to solicit fraudulent wire payments.
Phishing the phishers
One of the central goals for Agari is to create profiles of people carrying out these scams.
“A big part of attribution – especially with these gangs – is marrying up an email address with an identity,” Linton says.
“That is premium intelligence that you can hand on to law enforcement. It's something they can validate using their systems and is fairly irrefutable.”
However, taking legal action against scammers is very complex. First, there needs to be an actual crime reported for law enforcement to act – Agari having visibility of all of a scammer’s activity isn’t enough on its own. Often people are too embarrassed to report that they have been scammed, making it trickier still.
“It's weird that the people I would have looked to prank, like the secret service, I've actually been emailing in a professional capacity. That, to me, is slightly bizarre.”
But there is progress. In one still ongoing and "very promising" project, Agari worked with the US secret service in South Africa on a case where Linton personally attributed the scammer's identity.
“It's weird that the people I would have looked to prank, like the secret service, I've actually been emailing in a professional capacity. That, to me, is slightly bizarre.”
And in June 2018, a huge cross-border effort saw the US arrest 74 people who had committed email scams. Out of those, 30 were from Nigeria, reflecting a long-standing trend observed by Agari and others.
The Nigerian scammer epidemic
The Nigerian Prince Scam, or 419 scam, in which a fraudster promises the target a share in a significant sum for a small up-front payment, is almost as old as the World Wide Web. Most are savvy enough to spot this as a clear attempt at fraud.
But the email scams originating from Nigeria have evolved – and they do almost always originate from Nigeria, says Linton.
“We're only focused on the people perpetrating the crime,” he explains. “It just happens that, from what I've seen personally... 90% are Nigerian. But in some respects, if I was being brutally honest, it's in the high 90s. It's super rare that we see anything that contradicts that.”
And even when Agari finds BEC crimes committed outside of Nigeria, they still end up being of Nigerian origin. Agari’s figures back this up – nine out of 10 organised scammer groups are based in Nigeria.
"Having a background of being an outsider to infosec, I was expecting a lot more kind of Ukrainian cybercriminals, a few bedroom script kiddies from here there and everywhere, and so far we're just not finding them,” says Linton. “It seems to be such an epidemic that's stemming out of Nigeria."
But it is in Nigeria’s own interest to crack down on the problem and shake off the association.
“They're very enthusiastic about stopping it. If you're a law-abiding Nigerian trying to sign up to freelancer.com, the fact that you've got a Nigerian IP will probably get you blacklisted straight away,” he says.
“I can see why highly educated people qualifying for university, no prospects of a job, just get sucked up by the Nigerian fraternities.”
Part of Linton’s job is to step into the shoes of the scammers. And that empathy means he understands why they carry out the email scams.
“I get why they justify it. It's a completely different world out there. When I go on Google Maps and put in an IP address of where an attack has come from, it looks like images of Beirut we used to see when it was being attacked years ago.
“I can see why highly educated people qualifying for university, no prospects of a job, just get sucked up by the Nigerian fraternities. Because everyone likes to be good at something and you've got to earn a living. I don't think they've got many options.”
Pattern spotting in the hunt for scams
Despite him having no formal training as a researcher, Linton and Agari are a match made in heaven. When carrying out the pranks, it was his attention to detail – a deliberate extra space before a full stop to imply the person was in a rush – that helped him trick so many high-profile figures.
That same attention to detail is lacking in many of the Nigerian scam emails. However, Linton’s eye for language and presentation helps him spot patterns that can help with building a profile of a scammer.
“I expected, when I started to interact with them, that it was going to be as tricky as it was with, say, the head of the Bank of England,” he says.
But the reality, he says, is that often they “appear to be so fired up that somebody’s responded to them” that you could press anything on the keyboard and they would still continue to push the conversation along.
“Social engineering can be extremely complex, but ultimately it's applied in a simplistic way. I'm not in this Bond-esque face off with somebody.”
“Social engineering can be extremely complex, but ultimately it's applied in a simplistic way. I'm not in this Bond-esque face off with somebody.”
While the transferable skills are evident, there are differences between his email pranks and infosec research.
For a start, the pranking was “very ego based”, whereas now he works as part of a team, where you “can’t have an ego”.
"There's a lot more forethought to the end result now, whereas with the pranking it was very much sitting in my pants with absolutely no planning and no goal."
But what he has always had, both as a prankster and threat researcher, is a “hyper-focus” that helps him direct his energy on a task.
“Throughout my whole life I've kind of had mental health issues,” he says. “But in some ways they've made me very good at certain things. If I'm immersed in something my tenacity just goes off the charts, which is why I became so good at the prankster stuff.”
And where he once got a thrill from tricking celebrities, he now gets that feeling from gathering information on cybercriminals.
"That's where before I've got the same sort of rush that I was seeking from the excitement of the pranks, that level of attribution."
SINON returns?
So, what advice does SINON_REBORN, the email-prankster-in-chief, give to people to defend against BEC?
“This is going to sound like a product sell,” he says, the understated honesty coming through again “but my genuine answer is technology. That is the only way. Yes, you could personally do all the things that technology can do for you, but why spend two hours interrogating every email?”
But at an individual level, Linton recommends looking at language, never purchasing outside of official trading platforms and, of course, ensuring the email address and display name match.
Linton says he still has an “illustrious backlog of emails” that he never used, including Donald Trump Jr.'s personal email address ("I could have had a lot of fun with that with the Russian stuff").
But can we expect a return of SINON_REBORN?
Unfortunately, no.
“Stopping had to be a complete stop,” he says. “It was the only way I'd feel comfortable working in infosec.”
“It's not something I wish to go back to. I consider myself hugely lucky that I managed to meet up with a company that trusted me.
“I guess I've matured. Spring break was the pranks, and now I've gone back to school. And it's time for the hard work."