Cyber Incident Victim: San Francisco Exploratorium Museum
Date:
Sep 2016
Location:
United States of America
Summary
A spear-phishing attack compromised an employee's email account at the San Francisco Exploratorium Museum after the victim entered credentials on a fraudulent login page. The attacker monitored communications for three days before deleting the account's contact list, diverting incoming emails to trash, and distributing tailored phishing emails to colleagues—some of whom subsequently fell victim by submitting their own credentials. Suspicion arose due to a misspelled document title in the malicious emails, prompting internal alerts and password resets. Over 50 staff clicked the phishing link, and subsequent weeks saw repeated unauthorized attempts to access email accounts despite mitigation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 6, 2016, an employee at San Francisco's Exploratorium Museum received a spear-phishing email appearing to originate from a legitimate mailing list she had subscribed to. The email contained a link purportedly leading to a shared document. Upon clicking the link, the employee encountered a counterfeit Google login page where she entered her Gmail credentials, unknowingly transmitting them to attackers operating from Nigeria. The threat actor then covertly monitored the compromised account for three days, studying the employee's email communications and contact list. On September 9, the attacker executed three coordinated actions: deleting the victim's entire contact list, configuring email rules to automatically redirect all incoming messages to the trash folder, and distributing new spear-phishing emails to all colleagues in the employee's address book. These follow-up phishing messages attempted to lure recipients to another fraudulent Google login page by promising access to a document titled "Explratorium Report," which contained a conspicuous misspelling of the institution's name.
The phishing campaign was initially detected when colleagues noticed grammatical errors and the misspelled museum name in the fraudulent emails, inconsistencies unlikely to originate from an actual employee. However, the attacker's prior email redirection rules prevented the victim from receiving any warnings, as colleagues' alert messages were automatically moved to trash. The breach was only confirmed when a coworker physically approached the employee to report suspicious activity. Exploratorium IT staff responded by issuing organization-wide security alerts, resetting the compromised Gmail password, and implementing account recovery procedures. Forensic analysis revealed 54 employees had clicked the malicious links, though the exact number who subsequently entered credentials remained unconfirmed. In the following weeks, attackers persistently probed museum email accounts for password vulnerabilities, triggering repeated security alerts. These ongoing intrusion attempts created operational disruptions and heightened anxiety among staff, described by IT personnel as analogous to receiving notifications whenever someone tested old keys on a re-locked house. The incident caused sustained email system instability and required extended security monitoring despite containment efforts.