A popular secure e-mail provider, known as ProtonMail, may have recently hacked back against scammers who were operating a phishing site which presented itself as ProtonMail in order to try and steal user credentials, such as user login names and passwords. ProtonMail is based in Switzerland and created in 2013 by researchers from CERN and MIT. They offer both free and paid accounts, all accounts utilize end-to-end encryption and e-mails exchanged between ProtonMail users are encrypted with PGP encryption by default. Earlier this year the company brought their e-mail service to the darknet by implementing a Tor hidden service for ProtonMail. The company bills itself as the world’s largest encrypted email provider.
The phishers sent out emails to ProtonMail with a fake warning about an overdue invoice and urging the user to pay the overdue invoice by clicking on a link to the site the phisher’s made to mimic the ProtonMail login page. One ProtonMail user, who goes by x0rz on Twitter, tweeted a screenshot of the phishing attempt they received by e-mail. The phishing attempt tried to scare users into paying the “overdue invoice” by threatening to shut down their ProtonMail account within 7 days if it was not paid by then. ProtonMail replied to the tweet of the screenshot of the phishing attempt email that x0rz had received. “We also hacked the phishing site so the link is down now,” ProtonMail tweeted in their response to x0rz. Shortly after ProtonMail posted their incriminating reply on Twitter, the tweet was taken down. The Twitter user x0rz had managed to also get a screen capture of ProtonMail’s reply before it was taken down. X0rz had tweeted the screenshot of ProtonMail’s deleted tweet but removed it after ProtonMail requested that he take it down.
Hacking back against an attacker or phisher can be illegal, and in Switzerland there is a law against hacking which was passed in the early 1990s and is called the Federal Act on Data Protection, however there have been few prosecutions under the act. The company operates under Swiss law and the laws of the European Union. In 2013 the European Union parliament voted to make hacking a crime that carried a prison sentence of 2 years. In the United States hacking back could violate the Computer Fraud and Abuse Act of 1986, as well other Federal laws such as wiretapping statutes. Earlier this summer, lawmakers in Congress recently introduced the Active Cyber Defense Act (ACDC), a bill which would amend the Computer Fraud and Abuse Act of 1986 and would allow the victims of cybercrimes to hack back against an attacker.
ProtonMail claims that their tweet was removed because it “was fueling unsubstantiated rumors and speculation about what may or may not have happened. For reasons that you can probably understand, we do not really comment on the record regarding phishing attempts, and we cannot confirm nor deny if anything happened,” a representative of ProtonMail told Motherboard. The representative from ProtonMail continued, saying that the company was glad that the phishing link was no longer online and that the owner of the server was able to get the assistance they needed to secure their server.
In June, ProtonMail launched their own Virtual Private Network (VPN) service, known as ProtonVPN. The company offers paid VPN accounts, as well as free VPN accounts, however, there is a waiting list for those who wish to get a free VPN account. The company mentioned several threats to internet freedom around the world as one of their primary motivations for launching their new VPN service. In a press release that was issued during the launching of their new VPN service, ProtonVPN mentioned the threats made against internet freedom and privacy by Theresa May and the UK’s Conservative Party. The British government subsequently also suggested they may seek to weaken the encryption used in popular messaging apps. Another issue that led to the company’s decision to launch their VPN service was the Trump administration’s decision to reverse net neutrality rules, as the company sees the move to reverse net neutrality as a threat to internet freedom.