This article continues the series I began on LinkedIn and in my last blog, where I shared details of the hack on the TRC LinkedIn account and website. In this installment, I delve into the infection phase of the cyber attack that targeted me.
In mid-October of 2024, I began noticing a surge in marketing emails flooding my inbox. As a general practice, I use the unsubscribe links provided in such emails, and this has usually been effective. However, this time the same senders kept reappearing despite my efforts. I escalated to Gmail’s “Block sender” and “Report as spam” features, but the issue persisted.
Interestingly, many of these emails were from legitimate sources, some from well-known companies, and others from small Indian IT firms. When I analyzed them using ChatGPT and other tools, they appeared authentic. That said, the persistence and pattern of these emails raised red flags. It made me consider a more targeted approach, specifically, the possibility that someone had gained access to a legitimate email marketing platform and was embedding malicious payloads in unsubscribe links. If tailored to a single recipient, such a payload could easily evade detection. In a country like the Philippines, where the BPO industry is vast and complex, it’s not hard to imagine a scenario in which a subcontractor might unknowingly re-add email addresses to a campaign believing they were being helpful.
While I don’t believe my systems were infected via this method, it’s clear that someone may have been trying.
I suspect the phishing campaign was designed to target me personally, especially after a likely initial attempted zero-click exploit targeting my iPhone—failed to compromise my computer systems. Fortunately, I had already segmented my phone from my other networks, limiting the blast radius. This may have forced the attacker to try alternative tactics.
One such tactic involved LinkedIn. I accepted a connection request from a sales representative based in Singapore. Soon after, I noticed odd behavior: LinkedIn claimed we had shared connections, but I couldn’t view them. Roughly 30 minutes later, our core network switches went offline in an unexplained outage. Post-event diagnostics revealed a configuration anomaly that may have contributed to the failure. While unrelated to the main issue, it was an odd coincidence.
Roughly a week later, during the November TTT session, another unusual event occurred. After clicking “Stop Recording,” the app continued to indicate that recording was still in progress. This struck me as suspicious. I immediately wiped that machine the next day and moved to a fresh device. That moment marked the beginning of a cycle of rotating devices to stay ahead of a possible compromise.
Until December 7th, my personal computer had remained untouched. That changed, ushering in a new phase of this security concern. I suspect my MacBook was compromised via a zero-click exploit, one that was later patched by Apple in January, and which manifested as iTunes launching unexpectedly.
The attack didn’t stop there. I later discovered a remote access trojan (RAT) embedded in Chrome and a cloned iPhone in use. It was a complex and aggressive campaign. Looking back, I’m genuinely surprised I made it through and was able to outmaneuver it.
As a result, I took direct action. I significantly increased budget investment in internal network security at the school and installed an enterprise-grade firewall at home. I also revisited my personal cybersecurity protocols. Most notably, I reinforced device segmentation, a strategy that may well have saved me. That said, I’ve since addressed the gaps where work and personal systems overlapped.
As of now, my systems remain stable. Since February, I’ve seen only a few anomalies such as strange SMS messages from Greece and Australia. Both times, my phone was in Lockdown Mode. In each case, I rebooted immediately, and no further intrusion occurred. While changing my number would be the most secure option, I’m trying to avoid that unless absolutely necessary.
What the Community Can Learn
What I experienced may soon become more common. The rise of AI has fundamentally changed the threat landscape, making attacks easier to automate, personalize, and scale. As these tools become more accessible, so too does the ability for malicious actors to craft highly targeted and sophisticated campaigns.
Schools are particularly vulnerable. Cybersecurity often receives minimal investment, and in many institutions, there’s no dedicated cybersecurity team, just an overstretched IT department trying to cover everything. This leaves significant gaps that attackers can and will exploit.
In our case, we’ve taken the step of investing in a managed Security Operations Center (SOC) , an expensive, but necessary decision. It’s part of a broader shift toward treating cybersecurity as a core pillar of operational resilience, not just an IT concern.
Here are a few small but meaningful steps any school can take to improve its security posture: