0
0
0
0
0
0
 0
 
By Connor Stokes
Answer: EMAIL SCAM

First, solvers are presented with a page asking for their email address. When solvers submit a real address, an email is sent to that account.

The email contains a link to a login page, prompting the puzzler for an email address and password. However, when registering, the puzzler only provided an address, no password. If they click on the “Forgot password?” link, they're presented with a couple of security questions: “What is the first name of your best friend?” and “What was the last name of your favorite teacher?”

At this point, solvers need to take note of the original email sent to them. The to: field of the email was addressed to o@amchicago.com, and mentions an “aha moment,” a phrase widely credited to Oprah Winfrey. The email is implying that the recipient is in fact Oprah, so they should answer the security questions as though they were her. Oprah’s best friend and the name of her favorite teacher are both matters of public record.

After resetting the password, they’ll be sent an email with their new password QueenOfAllMedia which they can use to log in with the email address o@amchicago.com.

When solvers enter Oprah’s fake email address into the email field on the login page, an “image key” will appear as a blank data URI base64 image. The image appears blank because the data URI actually contains a private key for PGP, a common method of email encryption. If the solver logs in as Oprah, they will be shown her piece of the puzzle, which looks like some gibberish characters. These characters are in fact a message encrypted using PGP.

Using publicly available tools, such as this one, solvers can decrypt this message assuming they know the passphrase and private key. The passphrase is their new password QueenOfAllMedia, and the private key is hidden in the “image key” data URI. After decrypting Oprah’s piece of the puzzle, solvers will get the letters RZ.

After logging in as Oprah, solvers will actually be sent another email titled “Puzzling Activity On Your Account,” which alerts them of an unauthorized login to their account by another person, and encourages them to reset their password. This email is actually addressed to saxman92@whitehouse.gov, and part of the copy implies the recipient is Bill Clinton. By answering his security questions, they can reset his password, log in as him, and get a new piece of the puzzle. This process repeats for 6 different famous people who have security questions with varying degrees of trickiness:

The last puzzle piece is a direction, “Concatenate then ROT13 for your answer.” If you concatenate the other pieces you get RZNVYFPNZ, which is the answer EMAIL SCAM in ROT13.