Proton

Earlier this week, investigative journalists at Bellingcat were targeted by a sophisticated phishing attack. As there has been some incorrect reporting about the incident, we are releasing a statement to provide clarification.

On July 24, investigative journalists at Bellingcat, which utilize Proton Mail to secure their communications, were targeted by a sophisticated phishing attack that attempted to steal their credentials to gain access to their Proton Mail accounts. Emails were sent to the targeted users claiming to be from the Proton Mail team, asking the targets to enter their Proton Mail login credentials.

The phishing attack did not succeed because of the vigilance of the targets and certain anti-phishing measures(ventana nueva) that Proton Mail has put in place due to the increased security needs of many of our users. A phishing attack targets users of a service and does not directly target the service itself. Some articles have incorrectly claimed that Proton Mail was hacked or compromised, but a phishing attack does not imply a compromise of the service in question. 

Proton Mail is unique in that attacking Proton Mail does not necessarily compromise user data, due to our usage of end-to-end encryption(ventana nueva) and zero-access encryption(ventana nueva). These technologies ensure that any user emails stored on our servers cannot be decrypted by us (or any third party). Generally speaking, only the owner of the mailbox has the ability to decrypt the mailbox. Consequently, the most practical way to obtain email data from a Proton Mail user’s inbox is by compromising the user, as opposed to trying to compromise the service itself. For this reason, the attackers opted for a phishing campaign that targeted the journalists directly.

Attribution of attacks is very difficult to determine. It is well established that Bellingcat is a frequent target of Russian military intelligence due to their prior activities, which have included linking the downing of flight MH17 to Russian forces, and identifying the Russian GRU agents responsible for the nerve agent attack on the Skripals on UK soil. The resources used in this phishing attack (such as the domain registrars and resellers) are also resources that have been used in the past in other cyberattacks conducted by Fancy Bear (also known as APT28), a Russian cyber espionage group which may be affiliated with the GRU. Thus, while it is not conclusively proven, the evidence (along with independent third-party assessments) seem to suggest an attack of Russian origin. A deeper technical analysis of the attack and its links to the Fancy Bear APT(ventana nueva) can be found here(ventana nueva).

We do know that the attack was highly targeted and specifically went after Bellingcat accounts. We have identified over a dozen fake Proton Mail domains that were registered by the attackers, some of which have not yet been used. The attackers attempted to redirect users to the fake domain mailproton.me, where a fake Proton Mail site was hosted in an attempt to trick the targets into entering their Proton Mail credentials. The fake domains were also registered through a domain registrar that allows anonymous registrations and bitcoin payments to make the attackers harder to track. 

Furthermore, the attackers attempted to exploit an unpatched vulnerability in an open source software that is widely used by email providers in an effort to bypass spam and abuse filters. We were previously aware of this vulnerability and have already been watching it for some time, but we will not disclose it here because the software in question is not developed by Proton Mail, and it has not yet been patched by the software maintainers. This vulnerability, however, is not widely known and indicates a higher level of sophistication on the part of the attackers.

Despite the level of sophistication of the attackers, phishing attacks against Proton Mail users generally fail because all official and/or automated emails from Proton Mail are clearly indicated with an Official badge in the Proton Mail inbox, and there is no way for an attacker to spoof this. This means that it is always possible to tell immediately if an email is fake or not. 

Immediately after observing the attack, we contacted registrars and webhosts around the world to ensure that all domains used in the attack are promptly suspended. We also worked with the Swiss Federal Police(ventana nueva) and MELANI(ventana nueva) to block the Swiss domain that was used in this attack. At present, there is not an ongoing law enforcement investigation into the incident, but we are of course conducting our own investigation.

Phishing attacks are the most common type of attack attempted against Proton Mail users. User security is our foremost concern, and we are continually enhancing and improving our detection and prevention systems to combat phishing. You can read this article on how to prevent phishing attacks(ventana nueva).

Best Regards,
The Proton Mail Team

About Proton Mail
Proton Mail is the world’s largest secure email service. Founded in Geneva in 2014 by scientists who met at the European Centre for Nuclear Research (CERN), Proton Mail protects over 10 million users, including journalists, activists, doctors, lawyers, businesses, and ordinary citizens who want email that is both safer and more private. Because messages are end-to-end encrypted, we cannot read your emails, sell your data to advertisers or compromise the privacy of your communications. Proton Mail is email as it should be — private and secure.

Get a free secure email (ventana nueva)account from Proton Mail.

We also provide a free VPN service(ventana nueva) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.

Update July 19, 2023: To avoid confusion, we removed references to Proton’s former anti-phishing measure of starring emails that came from us. While it was true when this article was published, Proton now uses an Official badge to let you know an email is legitimately from us.


Artículos relacionados

The cover image for a Proton blog, showing a phone screen with a lock logo and three password fields surrounding the phone
en
Here's what to look for when choosing an enterprise password manager to streamline collaboration and protect your organization's sensitive data.
en
  • Guías de privacidad
Learn how to unsend an email, how it’s useful for personal or business emails, and how Proton Mail can help.
Proton Mail and Proton Calendar winter product roadmap
en
  • Actualizaciones del producto
  • Proton Calendar
  • Proton Mail
Preview upcoming updates to Proton Mail and Proton Calendar, including performance boosts, new features, and enhanced privacy tools.
Gantt chart displaying Proton Drive plans and development of new features
en
  • Actualizaciones del producto
  • Proton Drive
Discover the tools, features, and improvements coming to Proton Drive’s secure cloud storage and document editor this winter and spring.
laptop showing Bitcoin price climbing
en
  • Guías de privacidad
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.