I got a text message, then a call last week. Both were from the same customer. “Dan, I think my account has been hacked,” was the message. “What do I do now?” The customer went on to say that he figured out his account had been hacked when he began getting calls from people, asking him why he’d sent them a message about an overdue invoice.
I was in the car, so I told the customer to unplug from the Internet and scan his computer right away. Once I got to a computer, I changed his account password. As I continued to work with the customer, I began to see how this successful phishing attacked happened.
First Comes the Phish
Jim (not his real name) told me that he had recently received a message and clicked on the link in the message. He wasn’t sure what happened next but thought that maybe he’d given up his username and password by accident.
As we checked the security logs, we determined that someone accessed the account around the time Jim clicked on that link, September 17th. There were first some unsuccessful attempts to access Jim’s account from IP addresses in Asia. Seven hours later, there were successful login attempts from Europe. Five hours later, there were other successful logins from Africa. It’s possible the IP address locations were spoofed. It’s also possible that Jim’s account credentials were now on some dark web database and being exploited.
Next Come the Outlook Rules
The next step in this successful phishing attack occurred when the Bad Guy created some Outlook rules designed to hide their activity. Clearly, they were planning to use Jim’s account for some time. The Bad Guy created rules to
- Delete sent messages
- Delete any undeliverable messages
- Send any replies to an obscure folder
- Forward all messages to (presumably) that Bad Guy’s Gmail account
Jim’s account had been hacked for a week before he noticed. And he only noticed when people started asking him why he was sending them a note about a past due invoice (Jim doesn’t work in Accounts Receivable). These Inbox rules hid any signs that something was wrong.
In fact, when we looked at Jim’s RSS Feeds folder, we found a thread between him and the Office Manager, asking that a $20,000 invoice be paid right away. The initial request and all the replies were tucked away in a folder Jim would never look at. Fortunately, the Office Manager didn’t fall for the scam.
The Final Step: Deliver the Payload (Rinse and Repeat)
When I ran a message trace on Jim’s account, I found that the account has sent out 430 messages over the prior 48 hours. The Bad Guy spammed Jim’s entire contacts list a phishing message with the subject “60day Past Due Invoice.” (If you’ve been to any of my security training sessions, you’ll recognize the subject line as trying to create a sense of urgency for the victim, to open the message.) We don’t know whether the messages were attempts to get money, spread more malware, or both.
Lessons to be Learned from a Successful Phishing Attack
Jim works for a small company. They have no IT staff and run on a lean budget. How can a company like this protect itself from a successful phishing attack?
- One of the best protections is to adopt Multi-Factor Authentication (MFA). This remains the best way to stop most phishing attacks. MFA requires “something you have” as well as “something you know.” It may be easy to acquire your password (something you know). It’s much harder to acquire or tap into your mobile phone (something you know).
- Set an alert that notifies an Administrator whenever an Outlook rule is created that forwards mail outside the organization. Seeing and reacting to such an alert would have stopped this successful phishing attack much sooner.
- Get smart about phishing attacks. Train users to recognize the signs that an email may be suspect.
- Protect users from themselves. Services like Office 365’s Advanced Threat Protection can “sandbox” URL’s found in an email, preventing the user from following a bad link.
Organizations of all sizes are potential victims of a successful phishing attack. In fact smaller organizations are lately being targeted for these attacks, because they lack the resources to prevent them or fend them off. These simple steps can help any organization better defend itself against phishing attacks. Don’t wait to start adopting them!