Stolen Gmail account – $24,000 attempted fraud

This is not the main point of story, but my mom’s Gmail account was hacked. She blames me for this – I am in the security industry and I should have seen it coming and stopped the bad guys. She has a point and I intend to try harder from now on.

Naturally I was interested to know what the “vile criminals” had done with her account – aside from the phishing email I received. As with many others, the phishing attack seems to be the only action taken. The emails point to a “Google Docs” link and recipients are urged to “open the very important doc” requiring their Gmail or other credentials. So nothing new… It seems my mother fell for a similar phishing attack a while back and that is how her account was accessed and abused. So the model is:

• Compromise a Gmail account
• (some time later…) Phishing attack
• Compromise more Gmail accounts
• (some time later…) More phishing attacks
• etc.

I expected more creativity from the Internet underworld. So, what is to be done with all these Gmail accounts aside from using them to steal even more Gmail accounts? Enter a colleague of mine and his “HACKED GMAIL ACCOUNT TRUE STORY”. Background: said colleague is owner/founder of a small business with several employees.

As with mom, he was phished a few months back (he didn’t realize it at the time either). The compromised Gmail account is one he uses in addition to other work email accounts. The Gmail account name also probably attracted undue attention by ending “—–[email protected]”.

The phishers first accessed the account on the 16^th of September and took a few hours to study emails, contacts, and general activity. Then they carefully selected only 2 contacts (from around 100) – the company financial controller “Steve”, and the account manager at the bank used by the business “Chris”.

Tuesday 17^th at 14:00: Steve got this email:

Email text: “Afternoon, I need you to process out an urgent funds for me.”

This sort of email is not uncommon in my colleague’s business –obviously noticed by the fraudsters who had taken the time to study the Gmail account activity. The English is of course not perfect, but in an age of hastily tapped smartphone emails this is not unusual.

15:20 – Steve the financial controller was happy to oblige – the boss was out of the office so email was appropriate:

15:51 – At this point the fraudsters sent the transfer instructions for $12,000. The destination was a bank account in Australia. The account may itself have been compromised, or alternatively the account owner may have been functioning as a mule. I contacted National Australia Bank but received their standard “we will investigate” correspondence.

16:23 – Steve the financial controller: “Is this from —— account”

16:53 – Fraud dude replies impatiently: “yes it is and can you proceed with the wire”

18:59 – Steve the financial controller: “What is the purpose?”

19:15 – Steve the financial controller (again): “Are these AUS$ or US$?”

19:36 – Fraudulent imposter company owner: “AUS$”.

I’ll come back to the email exchange with the bank – but at around 9pm, Steve happened to meet his boss in person and asked him what the funds transfer was for. Of course my colleague had no idea what Steve was talking about – even if he had checked his email during the afternoon all the emails in the account related to the discussion were quickly deleted by the fraudsters. Steve now understood what was going on and stopped communicating with the unknown 3^rd party.

The parallel correspondence with Chris at the bank also started at 2 pm on Tuesday with a similar email:

16:23 – Chris from the bank replied:

16:49 – Roughly an hour after sending the Australian bank information to Steve, the impersonator sent the same information to Chris the helpful account manager. At this point, the story should have turned in full favor of the cybercriminals – but this was just not their day:

17:03 – The reply from Chris at the bank: “Dear Mr. —, We will handle your request with priority tomorrow morning because the bank’s cut off time for today’s payments is already passed. Many thanks, Chris”.

17:08 – Fraudster responded with: “Thanks for the mail and get back to me with the wire confirmation so i can forward it to the beneficary and what time will you be sending out the wire transfer tomorrow cause i want the beneficary to recieve the wire tomorow lastest please advise.”

But they had missed their opportunity. A whole night would now pass and in that time Steve the financial controller would realize that the bank may have been contacted. So by Wednesday morning, Steve had contacted the bank and learned that they too had been in touch with the imposter. They were then instructed to ignore his further emails – and there were several.

9:23 on Wednesday morning:

12:12 – a final attempt:

At this point the fraudster gave up. We assume that in the “fraud book of lessons learned” they added a line: “Start fraud process as early in the day as possible to avoid bank closing time foul-ups”.

Forensics revealed the attacker was from Nigeria. There was also account access from a Verizon IP address in the US which could either have been the same Nigerian user on a VPN, or some other underground element checking that the credentials were valid.

My colleague – very relieved, slightly amused, mildly horrified, and busy with many other things in his day-to-day life, did not get round to changing his password (astonishingly). So, two days later, a Google Docs phishing attack was sent to all contacts of the …[email protected] account and the cycle began again.

Lessons learned:

• Look after your email accounts (2 factor authentication, don’t open suspicious emails, etc.)
• Although it might be tempting to deal with money issues by email (especially in a small business), you should at least add some other verification process. My colleague now expects a phone call to confirm any money transfers.

And my mother has changed her Gmail password.