Phishing attack

hdd2018 · 2019-04-10T15:16:42.000Z

Several of my users got a hold of me today stating: We go hacked!!! They said to me that they received a peculiar email from the Director that reads:

Hello,

Please i need you to help me purchase an ITUNES GIFT CARD for my Niece 500$(100$ in 5pieces) today, It’s her birthday but i can’t do this I’m currently busy. You can get it from the store or Walmart, record it as Admin Expense. i might be busy just scratch and email me pic of the card.

Thank you

This email was sent from the Director’s actual email address and it seems odd, it has no links and no external address. I have seen other types of emails with actual emails requesting information, but I have instructed my users to ignore and delete. On this particular case, I have ran a deep antivirus check, updated windows, went over all the emails that might pose a threat, but everything seems under control, for now. Any ideas on how this email got regenerated? And has anybody dealt with something like this recently? I will provide more feedback if I encountered it again… Thanks

rockn · 2019-04-10T15:21:47.000Z

Are you sure it was from the director’s email address and not something that looks extremely close to it? ANyone can spoof the name and other addresses can also be spoofed if you don’t have proper tools in place for verifying an emails server of origin. You might want to run your domain against some checks on MXtoolbox.com

angelahuddleston4811 · 2019-04-10T15:26:52.000Z

Are you using Office 365? If so, that email password needs to be changed asap. You also need to check for rules both for moving certain incoming emails out of the inbox (and usually into the RSS Feeds folder) and for forwarding emails from certain addresses or with certain subject lines to an outside address.

Basically, the way the scam works is this. The hacker manages to find an O365 email account and password combo. They log in as that user to the O365 portal, and use the online Outlook App to make changes. They set up the rule to move any response emails to the RSS Feed folder because people normally don’t look there. They also set themselves up to have a copy of all emails, or just certain emails forwarded to their own address. They compose the original email and send it out, moving the “sent” email from the Sent Items folder to the RSS Feeds folder. Then they wait for a response. They get the picture of the gift card, and they still have access to that person’s email, with no one the wiser.

IF you have Office 365, then it actually does have some security settings that you can set up to automatically alert you if someone sets up a rule to forward email to an address outside the organization. That’s the fastest way to make sure that doesn’t happen again.

If you’re using onsite Exchange, and it has OWA capability, you’re still looking at the same type of thing. I know you can set up a rule to notify you of the forwarding as well, but I don’t know the format for it right off hand.

davidhoffman · 2019-04-10T15:29:14.000Z

Run the internet headers from one of the emails through MXtoolbox.com and see what it shows: Email Header Analyzer, RFC822 Parser - MxToolbox

Often you will find one of the first IPs listed is on a black list… or I then run the IP address through a GeoIP lookup site https://www.iplocation.net/ and you will find the IP in some other country (known for this stuff).

Also - check the spelling the the full email address… The fun one we had just last week was these guys will waste money on registering domain names… the day we got one like this they had just registered a domain name with one extra letter in it to make it look like ours… as in domaiin.com So I blocked the domain in O365 admin. A few days later - same email from a different version of the double letter domain name, as in domaain.com Blocked that one too… you scammers keep wasting money on domain registrations. LOL

gilnov6030 · 2019-04-10T15:32:51.000Z

Check the email headers to be sure whether or not the message came from the director’s mailbox. If “From” and “Reply-To” header fields don’t match, it’s just being spoofed not hacked. Spoofing is where a bad guy sends a message that has false data in the “From” field. The Reply-To field is very hard to spoof so, if the two are different, your director hasn’t been hacked. If they are the same, reset the director’s password and scan his computer for keyloggers, spyware and such.

This website will help you read the message headers more easily: https://testconnectivity.microsoft.com/

Click the “Message Analyzer” tab, paste the header in the box and click the “Analyze headers” button.

spiceuser-gm4wr · 2019-04-10T15:36:24.000Z

Good answer Angela. The only thing I would add is maybe send out a blast email to warn everyone about normal phishing emails (not sent from one of “your” email accounts). Chances are that the password got compromised through something asking for email login credentials or something of the sort. They nabbed the owner of our company with that too ¯_(ツ)_/¯

hdd2018 · 2019-04-10T15:46:24.000Z

The email matches perfectly. The only thing that seems out of place are the phone number and the fax number included in the signature… It’s incorrect. The last two digits don’t match our actual numbers.

rockn · 2019-04-10T15:51:56.000Z

I would consider this a compromised account then. Change all of his/her passwords. I would also look at any devices they may have that connect to their mailbox.

hdd2018 · 2019-04-10T15:57:23.000Z

Password has been changed!!! I’ll definitely follow your advise…

rockn · 2019-04-10T16:20:41.000Z

SOme scammers also figure out how to set up an email that they control as a password recovery address. If you have that functionality within your systems look there as well.

hdd2018 · 2019-04-10T16:25:47.000Z

Great stuff. Thanks

rupesh-lepide · 2019-04-11T04:33:07.000Z

I think that incidents like this will become more and more common. Check breach status using " Have I Been Pawned ".

User must informed about the types of emails that are typically associated with phishing attacks. This is a good read for some tips and tricks to avoid email phishing attacks .

SCAM OF THE WEEK: " The Boss Needs iTunes Gift Cards For Customers… NOW "

Training is the best way to raise awareness about cyber-security issues and mitigate the risks - Security Best Practices: Employee Training Techniques That Stick

hdd2018 · 2019-04-11T12:44:01.000Z

Very informative. I’m actually investing lots of time in this topic and hoping to prevent attacks in the future… Again, thanks for the links.

spiceuser-gm4wr · 2019-04-12T03:40:46.000Z

Set up your emails so that if it comes from out of organization it will have a notice on the bottom. If it appears to come from someone in your company but has a nice red warning at the bottom that says “out of organization” that may help the less informed…