Well, it happened. I woke up early one morning to a strange email from one of my customers. It didn’t look legitimate. I have never before received an email from this person asking me to review and sign documents.
I called John to see what was up. It looked as though this email went out to all 2000 contacts in his address book, and he did not send it. But it was in his sent folder and coming from his account. His email had been hacked. A hacker somewhere had John’s account information and was using his email to scam those in his contact list by duping them into logging in with their Microsoft Office 365 credentials.
First of all, we sent a company-wide email pleading with users to not to click on the link within the first email (the “review document” link). Several people, however, had already clicked it.
Secondly, we blocked John’s O365 account, reset his password, and checked to see if any unwanted devices were associated with his account. There were. Microsoft uses cached passwords for emails. It usually takes a while for the password reset to propagate through the system (according to Microsoft, it can take up to an hour) and force you to re-enter credentials. Unfortunately, this bought the hacker some time to further confuse the situation. People were wary of “John’s” email and were responding with questions: “Is this email from you?”, “Did you intend to send me this?”, etc. The hacker was clever and set a rule to send all new email straight to the deleted folder. He was responding, “Yes, this email was intended for you.”
Thirdly: damage control. We were monitoring the sent folder and caught the hacker’s replies, which prompted phone calls to those who received a reply and spurred another mass email: “Please do not click on any links from John unless you have spoken to him directly.”
After that everything simmered down.
How did this hacker get John’s credentials?
- Using the same password for everything
- Zoom security breach (most likely)
Once he obtained the passwords from Zoom, he could probe important accounts like Microsoft and Google.
What could have prevented this?
- 2FA: “Two Factor Authentication”
- It’s a small pain but very necessary in today’s modern IT world.
- Calling or texting the sender directly
- Don’t verify a suspicious email the same way it was sent.
You don’t think this will happen to you, do you? Do you use Zoom? Did you use the same password as your email password? If you did, then it’s in a database somewhere waiting for a hacker to try.
My example was a phishing scheme, but it could have been worse. It could have been ransomware.
Be careful out there.
Jeremy P.S. What is 2FA? It’s a safe way to authenticate a user’s account. It involves using a password plus a pin code on another device. After you enter your password, the program requests a code that is sent to your phone via text, for example. Contact Robintree to update your system-wide security measures.