We were alerted yesterday that one of our customers local to Goldsboro, North Carolina had been targeted in a very sophisticated and elaborate phishing scam. Phishing is a fraud that consists of targeting a victim into thinking they are communicating or interacting with a legitimate company in an effort to steal sensitive data such as passwords, financial data, or any other data that in some way benefits the attacker.
As we are aware of this situation, the fraudster contacted our customer masquerading as one of their customers, and when our unsuspecting customer tried downloading an attachment they were asked to enter their Microsoft login details to download the file. Upon doing so, it took only seconds for the pre-programmed bot the fraudster already had in place to login to our client’s Microsoft account and download all the data it could before the customer was notified by Microsoft of a suspicious login.
This kind of breach is the most dangerous because it is a breach into everything on the computer and connected with that Microsoft account including the very login to that PC as Microsoft now requires that all PC logins be “online” and connected to Microsoft’s website.
There are far more implications as well. Because Outlook is also connected to your Microsoft account and login details to our servers are saved in your Outlook, this breach could have also been a breach into our mail server limited and localized to the customer’s email account. That meant the fraudster now could have had access to every email the customer had ever sent to their clients.
Soon after the breach that went unnoticed by the customer, the fraudster created a domain name that mimicked the customer’s domain name. Imagine for a moment if your company’s domain name was “google.com”, and the fraudster registered “google.co” and began emailing the customers of our customer pretending to be our customer. The sophistication of this act was far greater than any breech we’ve been told about to date and we’ve seen some very sophisticated breeches from local businesses right here in Goldsboro.
The fraudster very tediously mimicked everything about the company including the owner’s constant carbon copying of his son in every email, but of course, his son never got that email because it was carbon copied to “sons-name@google.co”.
After 2 weeks of gaining our customer’s customers trust, the fraudster made their move and began requesting the invoices be paid via ACH Debit. One of those customers of our customers reached out to our customer and wanted to know why they could no longer pay their invoices via check. The jig was up when our customer learned that emails were being received he didn’t send.
This is the point I was called. The customer believed that their email had been hacked. We quickly traced this breach back to the Microsoft breach from the phishing email and even found that our own email servers were too hardened for the attacker to break into even with the username and password through Outlook. Instead of logging directly into our email server, they had to resort to creating their own domain name to send emails from.
We want people to be very aware of how these scams work. As you read, paying close attention to the domain name is the best defense against phishing of any kind. Today, it is very hard to deliver email to a domain the email did not come from in an authorized manner because of SPF records, DMARC records, and other security features on DNS servers that alert mail servers to what IP addresses are authorized to send email from that domain name. Our servers are equipped with these security features as well as errant login detection that stops logins that doesn’t seem to be within the norms of a customer’s geographical location for logins. This has proven to be a valid defense which is why the fraudster was unable to login with the customer’s credentials. We are well aware that customers have complained about the minor inconveniences this has seldomly caused, but this security feature really did pay off in a big way in the past few weeks.
In hindsight, it’s always great to go over what went right and what went wrong; the basics of after-action problem solving that I was all too acquainted with from my time in the US Army. This could have been anyone and the likelihood of this happening to someone in the future is many orders higher than you even think – it’s 100%. Don’t think about “if it happens” think about “when it happens”. In this case, the customer made the right call to get help and that should be your first step. Upon contacting us, we’re going to step you through this process, the same process we have outlined in our company policy if we are ever breached:
STOP THE BREACH
Changing passwords, logging out unauthorized users, and securing all of your accounts are essential and nothing else matters until this is completed. I cannot express how important it is to secure the breach before doing anything else at this point, you must shut down the attacker’s access to your company or everything that follows becomes a circular event.
ALERT YOUR CUSTOMERS
It is not only the right thing to do, it is the law. Let your customers know you experienced a data breach and exactly what information you suspect “could have been” obtained – even if there is the slightest chance they got a credit card number, you need to let those customers know “your financial data may have been exposed”. In a situation like what was experienced in this article, education is the best defense and the only immediate way of stopping it. Educating your customers on how to identify a phishing email stops the fraudster’s ability to phish.
ALERT AUTHORITIES
The North Carolina State Attorney General’s office has a hotline specifically for this: 1-877-5-NO-SCAM
ALERT SERVICE PROVIDERS
Filing abuse reports and DCMA takedowns outright disables any further progress from the fraudster. We in addition to a normal abuse report, include a “Letter of Preservation” which notifies the service provider of the fraudster to SAVE ALL DATA associated with that account before deleting it in case the NC Department of Justice prosecutes it. We will file these for our customers, especially if we have active contracts on hand as they allow us and give us the legal authority to do so (a quasi- and very limited power of attorney in these situations).
Note: Our timely abuse reports and DMCA takedowns in this case resulted in total shut-down in less than 6 hours.
REGISTER SIMILAR DOMAINS
In this situation, specifically registering the .co variant to the domain name would have outright prevented this kind of attack on our customer and their customers. This could be a $200 per year expense but it is far cheaper than the liability that could have been caused. We are more than willing to sit down with any customer and go through the variants that should be registered to help prevent an event like this from happening.
EDUCATE YOUR EMPLOYEES
As I said in alerting your customers, education is key, but not just the education of your customers. Ensuring that your employees know how to identify a phishing email effectively removes the most common vector of attack substantially reducing the risk of future breaches of any kind. We will be happy to offer a proactive service to any company to spot-check your employees to see if they can be tricked by a controlled phishing email – an email that does not legitimately represent your company but does not leak data other than to alert someone in your company that the particular employee was tricked and needs to be educated on how to identify these emails.
If you have any questions on this article or on how best to secure your company in data breaches, please visit our support center or call 919-648-1333 option 1.
Copyright Notice EXCLUSIVE to this article: All content and photos in this article may be copied for the purpose of news, awareness, or education so long as it is clear that MLW & Associates, LLC, Tarheel Media’s parent company maintains the copyrights.