This is not the main point of story, but my momâ€™s Gmail account was hacked. She blames me for this â€“ I am in the security industry and I should have seen it coming and stopped the bad guys. She has a point and I intend to try harder from now on.
Naturally I was interested to know what the â€œvile criminalsâ€ had done with her account â€“ aside from the phishing email I received. As with many others, the phishing attack seems to be the only action taken. The emails point to a â€œGoogle Docsâ€ link and recipients are urged to â€œopen the very important docâ€ requiring their Gmail or other credentials. So nothing newâ€¦ It seems my mother fell for a similar phishing attack a while back and that is how her account was accessed and abused. So the model is:
- Compromise a Gmail account
- (some time laterâ€¦) Phishing attack
- Compromise more Gmail accounts
- (some time laterâ€¦) More phishing attacks
I expected more creativity from the Internet underworld. So, what is to be done with all these Gmail accounts aside from using them to steal even more Gmail accounts? Enter a colleague of mine and his â€œHACKED GMAIL ACCOUNT TRUE STORYâ€. Background: said colleague is owner/founder of a small business with several employees.
As with mom, he was phished a few months back (he didnâ€™t realize it at the time either). The compromised Gmail account is one he uses in addition to other work email accounts. The Gmail account name also probably attracted undue attention by ending â€œâ€”â€“firstname.lastname@example.orgâ€.
The phishers first accessed the account on the 16th of September and took a few hours to study emails, contacts, and general activity. Then they carefully selected only 2 contacts (from around 100) â€“ the company financial controller â€œSteveâ€, and the account manager at the bank used by the business â€œChrisâ€.
Tuesday 17th at 14:00: Steve got this email:
Email text: â€œAfternoon, I need you to process out an urgent funds for me.â€
This sort of email is not uncommon in my colleagueâ€™s business â€“obviously noticed by the fraudsters who had taken the time to study the Gmail account activity. The English is of course not perfect, but in an age of hastily tapped smartphone emails this is not unusual.
15:20 â€“ Steve the financial controller was happy to oblige â€“ the boss was out of the office so email was appropriate:
15:51 â€“ At this point the fraudsters sent the transfer instructions for $12,000. The destination was a bank account in Australia. The account may itself have been compromised, or alternatively the account owner may have been functioning as a mule. I contacted National Australia Bank but received their standard â€œwe will investigateâ€ correspondence.
16:23 â€“ Steve the financial controller: â€œIs this from â€”â€” accountâ€
16:53 â€“ Fraud dude replies impatiently: â€œyes it is and can you proceed with the wireâ€
18:59 â€“ Steve the financial controller: â€œWhat is the purpose?â€
19:15 â€“ Steve the financial controller (again): â€œAre these AUS$ or US$?â€
19:36 â€“ Fraudulent imposter company owner: â€œAUS$â€.
Iâ€™ll come back to the email exchange with the bank â€“ but at around 9pm, Steve happened to meet his boss in person and asked him what the funds transfer was for. Of course my colleague had no idea what Steve was talking about â€“ even if he had checked his email during the afternoon all the emails in the account related to the discussion were quickly deleted by the fraudsters. Steve now understood what was going on and stopped communicating with the unknown 3rd party.
The parallel correspondence with Chris at the bank also started at 2 pm on Tuesday with a similar email:
16:23 â€“ Chris from the bank replied:
16:49 â€“ Roughly an hour after sending the Australian bank information to Steve, the impersonator sent the same information to Chris the helpful account manager. At this point, the story should have turned in full favor of the cybercriminals â€“ but this was just not their day:
17:03 â€“ The reply from Chris at the bank: â€œDear Mr. â€”, We will handle your request with priority tomorrow morning because the bankâ€™s cut off time for todayâ€™s payments is already passed. Many thanks, Chrisâ€.
17:08 â€“ Fraudster responded with: â€œThanks for the mail and get back to me with the wire confirmation so i can forward it to the beneficary and what time will you be sending out the wire transfer tomorrow cause i want the beneficary to recieve the wire tomorow lastest please advise.â€
But they had missed their opportunity. A whole night would now pass and in that time Steve the financial controller would realize that the bank may have been contacted. So by Wednesday morning, Steve had contacted the bank and learned that they too had been in touch with the imposter. They were then instructed to ignore his further emails â€“ and there were several.
9:23 on Wednesday morning:
12:12 â€“ a final attempt:
At this point the fraudster gave up. We assume that in the â€œfraud book of lessons learnedâ€ they added a line: â€œStart fraud process as early in the day as possible to avoid bank closing time foul-upsâ€.
Forensics revealed the attacker was from Nigeria. There was also account access from a Verizon IP address in the US which could either have been the same Nigerian user on a VPN, or some other underground element checking that the credentials were valid.
My colleague â€“ very relieved, slightly amused, mildly horrified, and busy with many other things in his day-to-day life, did not get round to changing his password (astonishingly). So, two days later, a Google Docs phishing attack was sent to all contacts of the â€¦email@example.com account and the cycle began again.
- Look after your email accounts (2 factor authentication, donâ€™t open suspicious emails, etc.)
- Although it might be tempting to deal with money issues by email (especially in a small business), you should at least add some other verification process. My colleague now expects a phone call to confirm any money transfers.
And my mother has changed her Gmail password.